ae2001d5b60a2f0bd8e72c0106363950cd9f68e9ce42b9a40b0af26814908809

Analysis

max time kernel
170s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

droidkit-en-setup.exe
Size

19.5MB
MD5

10b9713adf037d033d31f84d89d32c3d
SHA1

1396c8735135bfd8e96738fa48a3f88e8c45d3c7
SHA256

ae2001d5b60a2f0bd8e72c0106363950cd9f68e9ce42b9a40b0af26814908809
SHA512

9e7fbd6bbc2439b2eda5c5b5ccef8d639f9e9a772e34c05e0f949c28a4cf54eed98aa2fa6d4828fb250a8edd72fbc3ddf4a8f44b2119aa607983d91a1b26e178
SSDEEP

393216:YqrsNeQztKB1QH9MCPIpB6LhMtGiUIsBws6XYbTkrXDTNiDRUGJwPAEWXD:YUibzQoH9MSIMgDYUX3NiDRUGJ2YT

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

droidkit-en-setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	droidkit-en-setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

droidkit-en-setup.exe

description	ioc	process
File created	C:\Program Files (x86)\iMobie\DroidKit\java\lib\server\Xusage.txt	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\amd64\libusb-1.0_x86.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\bin\server\jvm.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\Languages\Language.TW.dll	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\DroidKit.exe.config	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\img\right_mid2.png	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.desktop\ADDITIONAL_LICENSE_INFO	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\jdk.jdwp.agent\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\Modules\Module.FeedBack.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\i386\ssudnd5.sys	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\Service.Export.dll	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\System.ValueTuple.dll	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\x86\libusb0.sys	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.base\asm.md	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.smartcardio\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\ss_conn_usb_driver.cat	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\libusb0_x86.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\Service.Clean.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\Service.RSL.dll	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.naming\ADDITIONAL_LICENSE_INFO	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.xml.crypto\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\legal\jdk.pack\LICENSE	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\Languages\Language.NL.dll	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\ssudserd.cat	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\bin\api-ms-win-core-libraryloader-l1-1-0.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\bin\client\jvm.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\i386\ssudnet.sys	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\img\right_bottom2.png	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\img\right_top.png	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\jdk.scripting.nashorn\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\ssudbus.cat	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\bin\api-ms-win-crt-convert-l1-1-0.dll	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\i386\ssudbus.sys	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.compiler\ADDITIONAL_LICENSE_INFO	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\jdk.jsobject\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\jdk.management.agent\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\jdk.xml.dom\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\DB.BR.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\bin\api-ms-win-crt-locale-l1-1-0.dll	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\bin\client	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.desktop\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.sql\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\Bypass\install_x64.exe	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.logging\LICENSE	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\bin\jabswitch.exe	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\bin\jaccessinspector.exe	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\i386\ss_conn_launcher.exe	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\jdk.charsets	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\ssuddmgr.cat	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\amd64\ssudncm.sys	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\amd64\ssudrmnet.sys	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\ADSqliteLibrary.lib	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\jdk.zipfs\LICENSE	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\bin\api-ms-win-crt-process-l1-1-0.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\Languages\Language.JP.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\lib\psfont.properties.ja	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\resource\SamsungDriver\ssudmtp.inf	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\cyggcc_s-1.dll	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\libusb0.dll	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\img\file.png	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.management\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File created	C:\Program Files (x86)\iMobie\DroidKit\java\legal\jdk.jdwp.agent\ADDITIONAL_LICENSE_INFO	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\java\legal\jdk.management.jfr\ASSEMBLY_EXCEPTION	droidkit-en-setup.exe
File opened for modification	C:\Program Files (x86)\iMobie\DroidKit\DB.BR.dll	droidkit-en-setup.exe

Executes dropped EXE 2 IoCs

Processes:

DroidKit.exeaapt.exe

pid process

6452 DroidKit.exe
6912 aapt.exe

pid	process
6452	DroidKit.exe
6912	aapt.exe

Loads dropped DLL 26 IoCs

Processes:

droidkit-en-setup.exeDroidKit.exe

pid	process
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
6452	DroidKit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exedroidkit-en-setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	droidkit-en-setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	droidkit-en-setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

droidkit-en-setup.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeDroidKit.exe

pid	process
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3000	msedge.exe
3000	msedge.exe
4872	msedge.exe
4872	msedge.exe
4048	msedge.exe
4048	msedge.exe
6824	identity_helper.exe
6824	identity_helper.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
6452	DroidKit.exe
6452	DroidKit.exe
6452	DroidKit.exe
6452	DroidKit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4048 msedge.exe
4048 msedge.exe
4048 msedge.exe
4048 msedge.exe
4048 msedge.exe
4048 msedge.exe
4048 msedge.exe
4048 msedge.exe
4048 msedge.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

DroidKit.exe

description	pid	process
Token: SeDebugPrivilege	6452	DroidKit.exe
Token: SeBackupPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeIncreaseQuotaPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeTakeOwnershipPrivilege	6452	DroidKit.exe
Token: SeLoadDriverPrivilege	6452	DroidKit.exe
Token: SeSystemProfilePrivilege	6452	DroidKit.exe
Token: SeSystemtimePrivilege	6452	DroidKit.exe
Token: SeProfSingleProcessPrivilege	6452	DroidKit.exe
Token: SeIncBasePriorityPrivilege	6452	DroidKit.exe
Token: SeCreatePagefilePrivilege	6452	DroidKit.exe
Token: SeBackupPrivilege	6452	DroidKit.exe
Token: SeRestorePrivilege	6452	DroidKit.exe
Token: SeShutdownPrivilege	6452	DroidKit.exe
Token: SeDebugPrivilege	6452	DroidKit.exe
Token: SeSystemEnvironmentPrivilege	6452	DroidKit.exe
Token: SeRemoteShutdownPrivilege	6452	DroidKit.exe
Token: SeUndockPrivilege	6452	DroidKit.exe
Token: SeManageVolumePrivilege	6452	DroidKit.exe
Token: 33	6452	DroidKit.exe
Token: 34	6452	DroidKit.exe
Token: 35	6452	DroidKit.exe
Token: 36	6452	DroidKit.exe
Token: SeIncreaseQuotaPrivilege	6452	DroidKit.exe
Token: SeSecurityPrivilege	6452	DroidKit.exe
Token: SeTakeOwnershipPrivilege	6452	DroidKit.exe
Token: SeLoadDriverPrivilege	6452	DroidKit.exe
Token: SeSystemProfilePrivilege	6452	DroidKit.exe
Token: SeSystemtimePrivilege	6452	DroidKit.exe
Token: SeProfSingleProcessPrivilege	6452	DroidKit.exe
Token: SeIncBasePriorityPrivilege	6452	DroidKit.exe
Token: SeCreatePagefilePrivilege	6452	DroidKit.exe
Token: SeBackupPrivilege	6452	DroidKit.exe
Token: SeRestorePrivilege	6452	DroidKit.exe
Token: SeShutdownPrivilege	6452	DroidKit.exe
Token: SeDebugPrivilege	6452	DroidKit.exe
Token: SeSystemEnvironmentPrivilege	6452	DroidKit.exe
Token: SeRemoteShutdownPrivilege	6452	DroidKit.exe
Token: SeUndockPrivilege	6452	DroidKit.exe
Token: SeManageVolumePrivilege	6452	DroidKit.exe
Token: 33	6452	DroidKit.exe
Token: 34	6452	DroidKit.exe
Token: 35	6452	DroidKit.exe
Token: 36	6452	DroidKit.exe

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

msedge.exefirefox.exedroidkit-en-setup.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
2360	firefox.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe
3076	droidkit-en-setup.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

msedge.exefirefox.exe

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
2360	firefox.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
2360	firefox.exe
2360	firefox.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2360 firefox.exe

pid	process
2360	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

droidkit-en-setup.execmd.execmd.exefirefox.exemsedge.exemsedge.exefirefox.exe

description	pid	process	target process
PID 3076 wrote to memory of 4336	3076	droidkit-en-setup.exe	cmd.exe
PID 3076 wrote to memory of 4336	3076	droidkit-en-setup.exe	cmd.exe
PID 3076 wrote to memory of 4336	3076	droidkit-en-setup.exe	cmd.exe
PID 4336 wrote to memory of 4144	4336	cmd.exe	curl.exe
PID 4336 wrote to memory of 4144	4336	cmd.exe	curl.exe
PID 4336 wrote to memory of 4144	4336	cmd.exe	curl.exe
PID 3076 wrote to memory of 2572	3076	droidkit-en-setup.exe	cmd.exe
PID 3076 wrote to memory of 2572	3076	droidkit-en-setup.exe	cmd.exe
PID 3076 wrote to memory of 2572	3076	droidkit-en-setup.exe	cmd.exe
PID 2572 wrote to memory of 5052	2572	cmd.exe	curl.exe
PID 2572 wrote to memory of 5052	2572	cmd.exe	curl.exe
PID 2572 wrote to memory of 5052	2572	cmd.exe	curl.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 5020 wrote to memory of 2360	5020	firefox.exe	firefox.exe
PID 4048 wrote to memory of 1696	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 1696	4048	msedge.exe	msedge.exe
PID 3640 wrote to memory of 1508	3640	msedge.exe	msedge.exe
PID 3640 wrote to memory of 1508	3640	msedge.exe	msedge.exe
PID 2360 wrote to memory of 1560	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1560	2360	firefox.exe	firefox.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe
PID 4048 wrote to memory of 2012	4048	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\droidkit-en-setup.exe
"C:\Users\Admin\AppData\Local\Temp\droidkit-en-setup.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"69253311\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw""
2⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\curl.exe
curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"69253311\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw"
3⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"69253311\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Download\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw""
2⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\curl.exe
curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"69253311\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Download\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw"
3⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"69253311\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Download Successful\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw""
2⤵
PID:6512

C:\Windows\SysWOW64\curl.exe
curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"69253311\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Download Successful\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw"
3⤵
PID:6596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"69253311\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Install Finished\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw""
2⤵
PID:7132

C:\Windows\SysWOW64\curl.exe
curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"69253311\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Install Finished\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw"
3⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"69253311\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Application\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw""
2⤵
PID:2064

C:\Windows\SysWOW64\curl.exe
curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"69253311\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Application\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw"
3⤵
PID:5624

C:\Program Files (x86)\iMobie\DroidKit\DroidKit.exe
"C:\Program Files (x86)\iMobie\DroidKit\DroidKit.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6452

C:\Program Files (x86)\iMobie\DroidKit\aapt.exe
"C:\Program Files (x86)\iMobie\DroidKit\aapt.exe" dump badging imobieservice.apk
3⤵
- Executes dropped EXE
PID:6912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.imobie.com/droidkit/thankyou/install-complete.htm
2⤵
PID:6392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac4a946f8,0x7ffac4a94708,0x7ffac4a94718
3⤵
PID:6316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffac4a946f8,0x7ffac4a94708,0x7ffac4a94718
2⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,927448151553036228,15292802792174151286,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
2⤵
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,927448151553036228,15292802792174151286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac4a946f8,0x7ffac4a94708,0x7ffac4a94718
2⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
2⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
2⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
2⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
2⤵
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
2⤵
PID:6644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
2⤵
PID:6652

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
PID:6808

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
2⤵
PID:6928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17846165814207328445,6731782725795682327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
2⤵
PID:4152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.0.1369616797\1916130154" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbb4edf8-6065-4f07-bf99-f449cb4d099e} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 1952 1fd4fed4258 gpu
3⤵
PID:1560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.1.239463623\120254576" -parentBuildID 20221007134813 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4530e99-0214-4216-880f-13a0d71bc230} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 2408 1fd4fbfc958 socket
3⤵
PID:2872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.2.764460961\1046958232" -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3312 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c9b9fae-2e30-4c5a-a779-c3d219ef11b9} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3288 1fd53922d58 tab
3⤵
PID:5676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.3.1324836066\688012648" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 20929 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1c155a-14a4-4aed-91a8-84b369f6f2d2} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3504 1fd5137b458 tab
3⤵
PID:5408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.4.17493177\1657730018" -childID 3 -isForBrowser -prefsHandle 3640 -prefMapHandle 3644 -prefsLen 20929 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa32914d-bb34-47cd-8efb-58741af49326} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3720 1fd5137b158 tab
3⤵
PID:5428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.5.774031507\465685812" -childID 4 -isForBrowser -prefsHandle 3524 -prefMapHandle 3632 -prefsLen 20929 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61df80ba-a24d-4a83-899a-cc10d12eb0d9} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3876 1fd5137d858 tab
3⤵
PID:5436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5632

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\iMobie\DroidKit\Core.Partition.dll
Filesize
64KB

MD5
d04d740785ca4e349e6fb0dc3bf6d270

SHA1
1991aaef18dd8455b26424b85485bc0750e57e7c

SHA256
fde14a500422278c9dd5c24bf2460d9a64791c1f034cafb6e1cccab6064efee8

SHA512
7e1db00e69ccf7c4e1575eda9dce55d437c686a27551c006351b9b9b93a0beccc7e2206f827fd35436648d70c6413d9513beecc2372675fdfddf9e7dc515c6fc

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Core.Tracing.GA4.dll
Filesize
360KB

MD5
6d6eb1872b54bc085153d9c974e866ff

SHA1
916a02efa94639f77c948dd1a1e2da652bfb0c29

SHA256
568713583917328fcde12863ed8d923e01d6c1bbf46fc795652910b088baf9c4

SHA512
f41bdc860c29b0c01a27d74b21768bcb5430b0bd4ed3e8eb72d87b603c639cce8c200bec0ce30a9c1d4eae0400e9c2a08fa9eace62bd32f06cffb7a1c4214b54

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Core.Tracing.dll
Filesize
43KB

MD5
4dcbc40f7e1b6ac87cbf7a9144066e17

SHA1
ba7081064f6171eef8006e0d9cbb48b8f4dc9d49

SHA256
4fc5169ccb9ed29394a86276fddb39ac143a74b14c0d6995ec502a60d59510d2

SHA512
b0e68bfae54540579e91ba97b3b90a9e9583f8e48433cb9e4a9bbda02ee6b10542f13262a5a5753cf735ba2bcfbbf53d4bb5356f49db645923a557f9b40aa6ac

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\DroidKit.exe
Filesize
64KB

MD5
7795240e4cb32264f19be67fd55bd0b8

SHA1
a51ecbed034fc6541ff06735bf9afad38ad80de8

SHA256
44986150d4d40cfab4e58725f45d173e1a175ba21817adaca4a400c60a532915

SHA512
a104ff4b3b2eb55cf98b86665e9791b1517f6b4eae50adcf19d5daa9c59b60749d62d6de0fccff132a047ced8f7cc5c92d68dba5bd71848db6f5abdca7df00eb

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\DroidKit.exe
Filesize
359KB

MD5
73e30b95417545f5101a8db9ac73c4e3

SHA1
f7d80a1a1229cfe7f13b7a6625d84889ddefa5d4

SHA256
154c19f72d05aa6d8e37865caac0057f087333382661f3d645d927ff657b0c33

SHA512
20b6bb166c0324b27839556cec7b7335314cc962f326745c610ae7fa7a8ecdeb7b7d20585703dd18977f5100a9c1eff1a7fd578eaf02c37157035d921f802afe

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\DroidKit.exe.config
Filesize
1KB

MD5
37c8496f8bb31c32b20a12465731e134

SHA1
2f9f4e6b75bcc6bb8cae2505150acd2e61244adf

SHA256
3bbfeb77ee305c4ee95362d2caca743af8e34ac1cb752487c1c2a14edf3dce51

SHA512
458150c1937d0fc4d3f3ba7d9fe2ddc2a446f370c568018b1a02ee477bbd4843883518a4b9def4c3f2d566a5636bf304c9c657bb960870c5cb35ed955d8f20d4

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Help.ico
Filesize
187KB

MD5
9ca6d8dcdc3a93521270fcb52c33e491

SHA1
42da181d0f73676197f50f3a2203708dd2543c0c

SHA256
7056eda1128f8a3a0c7217885972359cee99b6a62a62d4bd7bad79b04d7db227

SHA512
d28bce4de41036f25493ea28c64e840f8b62325eee6dbad03a4bb32439396aef16cf73eaaa95e975b82786c2aeac4eba86c13a6d703e616ef3ec82f41e463e28

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Language.Default.dll
Filesize
211KB

MD5
9154065bdec386e9dce631b889651d83

SHA1
ebab15091bfe8cbed9d733a8661efcf8368f955c

SHA256
e2654e5b900f4f80aed3f9ea726fbff1e4f07934ee80eb4deaabffcf230c3791

SHA512
175567bca06df16a874f58b3bf3cd7ea1f509bebab5ded8d1c6cacd89b19852f7532d7f34e1c1f4c782206ef0a17c9e605276095059057fa3a65b33f752447b7

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Module.Base.dll
Filesize
448KB

MD5
114f6b6c0400fca2e724af087211e04b

SHA1
4021dba276a1c59c98e0e8e76ab11c18d99c0f09

SHA256
0947dd0dc70eedf90451d3486765b88d0cb47eef816daac102266e787aa6839f

SHA512
724d5cc1b36e01e41aafd6fb388942a364ac19287eef13e3eae50b1d5129b36f638ce0370f6324ec23bbe7424b77a8dd2aed154d721175155c99ff6fd05279a5

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Prism.Unity.Wpf.dll
Filesize
29KB

MD5
cce587b8ff219b482e304e8d1105335d

SHA1
349e075ed476d9ebef6f939848a04221ab740151

SHA256
5429cd9cca2e972c2d0607767967b7e78db3dc4c74c874c96be66bf11c2c95cc

SHA512
fe3286efe04d229484f9a56b591409884c0cc58413bd54d0d10d245efee88f6060d0dd2d326ef02176c90a9c5f1e7245415515cdee43c8681c1555bdaeb7e312

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Prism.Wpf.dll
Filesize
143KB

MD5
f9fcc9bf77158750f4dc5f3ae063378f

SHA1
63b6c36c7d30e02abf873049e41a505f671e6c4a

SHA256
39849a5ad96c2f524c653e423a466aac1412d462f18a7c5264956b23c7f57d01

SHA512
8a5acf576ad98804ff258f2833d5f4bdbfeb8b181469d4ad37e5306fa116caba57c7de979bec37967ee78498268c8359e0a15aa813b07f3194dcfbd52cdba525

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Prism.dll
Filesize
74KB

MD5
3512d7bd528fa43472d63e413791784a

SHA1
103456791eaa487742bd71e1d4892d20dc46bbd1

SHA256
8c635d69f8b1e9bea6940d0f1fdf5a6604be8532018d9712cde0df1389d23a8c

SHA512
f923409e03419ccaeecf40d782dac50c016d06726b658b73e641182d0467c4cec478d75a3231107e6aa731c18693e344ba48869086a7a15da8852c9e3faf8b91

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\ResourcesBridge.dll
Filesize
108KB

MD5
9ce224d1d188f426cb99df5ac30e41ed

SHA1
290acc24ff4241f4c3432e2c8ba0ab7b14a12d80

SHA256
3a00abce3adb61036e4294971ffd2e41cb064e12fecec633362b6675a276db41

SHA512
9660bed17526b05b3fe4485093497838f171a4ff757a81469415d36bd24e22d9c73fc4b04e92ff6f56802527a51f3a1fc79bba01cbf7b61e03eb83ff4e41e395

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Theme.Default.dll
Filesize
1.2MB

MD5
29a8bf990612e473cf652b5cc7e540af

SHA1
4649853949f39cd688e8999b13518b4c077a0892

SHA256
54a02122c397dee54b49f09ac7b86cbb1b42a66e5701bb6a85eb3ba1478adab0

SHA512
4db4ec08ab3d756ca22a1de23c798f237ec8feba0685672aed3d5057d5f61ba9983d4afb84354b29f6aed0c81a481466e91e8bd969ff822241c2df991e12848c

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\UI.Controls.dll
Filesize
194KB

MD5
8d75ed3c2b3ea143bd30cc1f7376bb62

SHA1
c3aaa82cf7a8929ead80a5a2b4d7e2514e32fc8e

SHA256
b67576b9f3b8a4fe61c478826ee944dc045f37da645070bb2e85d63c92ceef39

SHA512
31b7b30a16fc40fad12719955b9aff2ab393a52db728f466498415d2b92c6f116fda5cdd8e951b7384c1ab2b3c6d4b9e637420a1a3109667364f088c5a50d9d3

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Utilities.UI.dll
Filesize
76KB

MD5
0a89c6dd4b4ca57db8f6de3a3d1bf1c0

SHA1
16fdd9a70992511e18d8411a15252d718d753c03

SHA256
eb832d8d56a043450d7f4926cd2530966b3398b83ac557d77df86cb9c48d5898

SHA512
5888570e5ff114836eb56170956cd2f084fe610b8d5e63a2fa27fe9338d49b310d8be722c1246089ab9f21b85f9f956b68aecffebd77be0993a259e209d1ceef

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\Utilities.dll
Filesize
2.4MB

MD5
3e01a93fd653cbc043b6847ccd8cb724

SHA1
40f50bfbd2c269ed3ee6aed8d671c4d5083fdec3

SHA256
eacc3cf43ae98a7266b77fb40b26f9b7e53278dadf6b0c84ab58d8a6e5da3074

SHA512
18a51c8082b79e4d6f868a0e3f43b2e795be8d2838620ca083c44d7f479b1548bb9a9c9861939275cb52fb4fc2f35dfd38d8179a8539b19ef55c7251e61745c1

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\droidkit.7z
Filesize
10.2MB

MD5
c0095f01fc705f315dcccbf4c5cdde38

SHA1
43dcbdb3a0ff163853deb0718976114083d22aa6

SHA256
31314a546ff27977e9828d895f86314a6a82163ddb302f970f319704c1dd92ac

SHA512
910594748d036098c1be78e002094bc224ae6359eb757f3afcac78ac00ade15fd8fb65f448d0aa06ae8ad16bcc7147bebdc4b1c6fdc03788443482194d3cc640

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.desktop\ADDITIONAL_LICENSE_INFO
Filesize
49B

MD5
19c9d1d2aad61ce9cb8fb7f20ef1ca98

SHA1
2db86ab706d9b73feeb51a904be03b63bee92baf

SHA256
ebf9777bd307ed789ceabf282a9aca168c391c7f48e15a60939352efb3ea33f9

SHA512
7ec63b59d8f87a42689f544c2e8e7700da5d8720b37b41216cbd1372c47b1bc3b892020f0dd3a44a05f2a7c07471ff484e4165427f1a9cad0d2393840cd94e5b

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.desktop\ASSEMBLY_EXCEPTION
Filesize
44B

MD5
7caf4cdbb99569deb047c20f1aad47c4

SHA1
24e7497426d27fe3c17774242883ccbed8f54b4d

SHA256
b998cda101e5a1ebcfb5ff9cddd76ed43a2f2169676592d428b7c0d780665f2a

SHA512
a1435e6f1e4e9285476a0e7bc3b4f645bbafb01b41798a2450390e16b18b242531f346373e01d568f6cc052932a3256e491a65e8b94b118069853f2b0c8cd619

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\java\legal\java.desktop\LICENSE
Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\libusbK.dll
Filesize
166KB

MD5
3935ec3158d0e488da1929b77edd1633

SHA1
bd6d94704b29b6cef3927796bfe22a2d09ee4fe7

SHA256
87cbd1f3bf5ab72089a879df110263784602a574c0ae83f428df57ae2f8115db

SHA512
5173891b1dfad2298910236a786c7b9bbcfce641491a25f933022088c81465fb93fd2385d270e9a0632f674355538da464d1edacf511140d6f31d91d1afe64fc

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\log4net.dll
Filesize
264KB

MD5
27fe8d18682fd9901e589e65ef429b23

SHA1
6426e96243911beab547f2bc98a252a26692f11f

SHA256
896ab9cac41e3977792ba2034ea8730610c2779fa51bab6bed426094ea8d3ecd

SHA512
9d6bc8c77c72cbad15e808281818c2768f1b44aa6ea1d54a979c91218b8fbf2a02fee49fa97db6cfa6087ddc363d6cdd6407e4494934b4568c514437030a2615

Download Submit
C:\Program Files (x86)\iMobie\DroidKit\x86\libusb0.dll
Filesize
45KB

MD5
8574627d4a5415c36176bf4ab9058183

SHA1
a50ab8e8983ce2afa54cb23e4629c83889cd0c56

SHA256
3b8c37db1af7f30a2baff39b587ecf7edd30027ee3e91d5e596e39dd0f0e3908

SHA512
ea27c071f047d200f45c5c82943e39df05bf5755aa72c44983ed367fc1d2ba30781cd24a0ff4e4da6224106d9f639f0872848d0fa7058f088467d1b4b5205954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
4b1045117f7a86bff740012ffbfae2b0

SHA1
c43e0d8df7df22b71bb073295b83a7c3f11a396e

SHA256
9ffd7e1d452884eab483b35533a8233f9abcd4ebc1ba72b40b727ebeac99338a

SHA512
196d903dec6f1d652fe7644b3e859fa9331004b2707eeee684efe897a16aa92d298a2bad0f546748a9af7bc22148a6db715e5a7923dea25a43a3f91096ead946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fd493fe405239a72a00ee75a85c8f22e

SHA1
faa1f1c3fee420c24535c6a2a2047f12562d21a3

SHA256
defb497a2102ad10109c84454a6504a235e95e33d7f67a32ac27bf4ed656a20d

SHA512
93c76ba3ee8bd1e14b258fba5716acf7594abc0e5495acea8d9e0e63b865eebdf78b5eb7f08c0c2fd8e15acf8452169d7570613c3d562a0ac0d52eb099a0a2c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
15beda8d7ea485e997d8e95d3f973a3a

SHA1
b4157d4c59beada2eea3137cc24ccee13d7b056b

SHA256
5e430a25adb672068f4535a2e8c27fcec13f19121c89e33fb87449f03684d231

SHA512
37f27c2e4b9309848ff994e3e63160a590ff742ab9b48a9a523e1b67b87e090076fc9a4600c32959081a4826e2920e21033f7bf6b781a5a75c1a770b1a266d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c2b838563c110a7d620d4ee07e725cc2

SHA1
e0566a4a20e002df30882ef6910656af2ad5d678

SHA256
d91aa43578cf26a818abf831ceb64a930cbc212918df4000f0e133dd16e31966

SHA512
44b4ef616fbdbf964abc71a9e17b954bd63a919c2ef757d4a147e8a51db9fbae3c083962b026ebbb062e7d13bfda160f70467d5f83e1c8da3b34f9da4abebc0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
5bee0894dd298366845e308c5fa5e268

SHA1
c4d004885863356118b4287d79de196a7880e95c

SHA256
f107e8098b3d0935bcca79e8cbcb541feb9d071b0cbeef25578f8b24429a5b29

SHA512
9d4302b2a7edcb4821a5f3b762bf8cbbc797ce4e5ce054e29906b90272226bab049e6e306c5ef188ee7ab8925e28fc4347242904c5fde2a228b093bc08fa0889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2521fe6b0a9d8b5b8a577abbd5fb5ec2

SHA1
6c6cffabc87f3bbe368d636ae95dac5c15806085

SHA256
abff7f8d2e5cc7ffad59857c88c4d406b4f02188c30a01bb890ef8344b9e80eb

SHA512
5d94fcc502722f1066a59e65219d95a0991e19d7a69e46ce60851931a52c37b4bce4a16d9245586cc25d3fef56df1284e0599953d671b1c29ac6c69ab2af634d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
36eeea0c446ba4c3472be85c66c04d92

SHA1
a16b502fe4702a64a03a5a4c0c2b1d18e72fba9c

SHA256
24ec6a321718fb70e2f9cf535206d9d478bdca206beace6645f7437e29225cad

SHA512
4856c697ade2e7ab222c82228145c2dfc5d14c8654ddbc0d789aee27391e38bd7def2eab3a8448e35abf45e823e160077da23754fa4ed3ea826ca3004d2b65a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
3b7cac9f2eb9b42e840f29b47ebb22fa

SHA1
c2e00113bbaef82a7ac53498faa5ce1ab956b95f

SHA256
38b2af7e9999e961deab7664b4163ae44fd179c7ac15948ae68538615d1b250e

SHA512
40d8e41db4523010ba83a2ba6faaaa3da8536d3ae7fa7ecc8ad789e6bd34b548c757057aabc5243c36ce90db09e2919d024167ae45a5f2eecaab2fc980a91521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
170c6795f9456875f26f46d2d0017166

SHA1
a13c097fd6a606a710fe1833ea0d63ea292b55d1

SHA256
5bce2f958810409b758750b5dd02fb40a48d2e0555387dcf77effba5323b72dd

SHA512
8cade4409485714ffb695873f31e35c840e141ea5a6caff2f9fad59b3a40af2212feb4515a313e8e60f9cc9dbbb00c5579e48370de60f2f4e0626de942b2e609

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\BgWorker.dll
Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\CheckProVs.dll
Filesize
7KB

MD5
62e85098ce43cb3d5c422e49390b7071

SHA1
df6722f155ce2a1379eff53a9ad1611ddecbb3bf

SHA256
ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

SHA512
dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\GoogleTracingLib.dll
Filesize
36KB

MD5
d8fca35ff95fe00a7174177181f8bd13

SHA1
fbafea4d2790dd2c0d022dfb08ded91de7f5265e

SHA256
ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

SHA512
eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\System.dll
Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\msvcp100.dll
Filesize
593KB

MD5
d029339c0f59cf662094eddf8c42b2b5

SHA1
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

SHA256
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

SHA512
021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\msvcr100.dll
Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\nsDui.dll
Filesize
5.2MB

MD5
6dd71adda4e7dca350c730346230c6c1

SHA1
c899940abb1df1bcf8e73d93111d87abd3b43ad5

SHA256
a97dc02b00a0d95ec44c90e9e97dba6a5ec1c56119916d9ed33527b361ade46c

SHA512
e56f7a255edd762b8afa97f042fc20bec11a31241f3ae777458db13230bc232236450939005aaaf3bedc1f076845184e6e2645c54cff3a2440024f23a25a6447

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\nsDui.dll
Filesize
7.1MB

MD5
37e2309c610ceba249eaaae374f6f9e4

SHA1
9a7a38207cd8edf3f4d8a86cf25394eb05dc41fb

SHA256
27a911e609aac13976af27a5acfe977357b0d9e57cba4186f5096a5536eb49bd

SHA512
858111d35caa2fe38b8a393f185121943c38fef96793d7bc51ef91cb1e94507450734cff4ab801a7d93978a7c8b888654a5a11df86e272bf3de56a1c05940fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\nsis7z.dll
Filesize
313KB

MD5
06a47571ac922f82c098622b2f5f6f63

SHA1
8a581c33b7f2029c41edaad55d024fc0d2d7c427

SHA256
e4ab3064f2e094910ae80104ef9d371ccb74ebbeeed592582cf099acd83f5fe9

SHA512
04b3d18042f1faa536e1393179f412a5644d2cf691fbc14970f79df5c0594eeedb0826b495807a3243f27aaa0380423c1f975fe857f32e057309bb3f2a529a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\registry.dll
Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\track_Official-com.txt
Filesize
33B

MD5
fa52ec95f4829013cdfd7ec9b8b1e533

SHA1
c3c3fec43c808c02d5a8177da0ff751b974ac40f

SHA256
8bdd7a58efb7679d680d94e1a5067699d4b06161700335e05fc20268e53c75b2

SHA512
b79ecf85a580fbfd00a298e76cc0381863f19cd2ff281894b05772f4d0104960ec96f78cfa86427994029d580973227214c4ffbcc444f82e65e00a5916c1068d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\uninstall.exe
Filesize
2.0MB

MD5
5ec5aaa2e5371747c1131339a4a6d5aa

SHA1
3d99b723ea93a62b3cd10cb6df6ec615899e8aec

SHA256
dfcd19279647ce9ab01c15c8e1b5bd81d2a61b26b0f37756e4b918367e9a02a3

SHA512
3cfc02d8afd1565fedd20b26630efa7138e1cf145675bd468cf7e0447c0f93fc73bd01e45ba90c15539567f07b95e9e4efe1e527740b4d8a7fd8aa213911288e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg62A3.tmp\uninstall.ini
Filesize
52B

MD5
e978a46d7e23c139e4df7b526f86745f

SHA1
f280d921ff3bbf5e171b0f6aa9e48e9914e32dd6

SHA256
435288e587018aa375e8a4bf3f35cd8dfffd559053f5ca6a0e487a61ff23e5db

SHA512
7b7150f3b2385d7a7264839d626e9b7c7026868d57f9f5df7d42ddb01688a7bf3008937ef2aa06c3f49089cb4cfbbfb8b6d9661fbc6a4f8e555305552759a75f

Download Submit
C:\Users\Admin\AppData\Local\lang_info.xml
Filesize
3KB

MD5
b36489cb554c11a7bf85cd14c7c1cb84

SHA1
c7349c67c34aa9d536dba6c20e5aaa65095db710

SHA256
85ced2c6b72c435ca255179c6136c8b25061fe1a6981c9b7fdfd8c7d359955d2

SHA512
fd3adc41759e7f789110a8d13a60a5503ea45fccd3fe7d773ad44a284dc3eed89585c76422678051a390266711c11cc5a3bb9aff569f0ddced3bc359b3054922

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
271B

MD5
a1585f66d2126314deb0d72b4768b4d8

SHA1
5603eac4e102030d88333bafc039a67d309ef733

SHA256
e5b21492b45a2972532d196404ead20878f9f1921742214b9c760b9c2976d459

SHA512
c647b60db9311c9a3e92948919e8ae52e504c01a2b8d4ef2c0a64a1f025c85e4f8ed76097df14bee00723f9cb364021de8056d9cac0bb65aff896061e55710fe

Download Submit
F:\iMobie\DroidKit\settings
Filesize
1KB

MD5
f9e7bd7f460010ad6e0928bfc7c158f7

SHA1
9591ea28790605219347d5c76b3c8a924f193609

SHA256
f2178b13663f6dde182d855d3e724c28dd64c3693efde7593f20d126b0c6640b

SHA512
ec55df0e8ebc36e857dd710ab9a1b70a3c63d016cfb950ec916860f484d8ae50d6a312a31b8363613864414c9e6cdcec9ff52e09e30fb63b88fe4fc9f2884a3b

Download Submit
\??\pipe\LOCAL\crashpad_4048_SGUUWHPIYDZZDMGS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3076-1540-0x0000000000A20000-0x0000000000A79000-memory.dmp

Filesize
356KB

Download
memory/6452-1629-0x000001723D8F0000-0x000001723D900000-memory.dmp

Filesize
64KB

Download
memory/6452-1720-0x000001723EA80000-0x000001723EABC000-memory.dmp

Filesize
240KB

Download
memory/6452-1626-0x000001723D9D0000-0x000001723D9E6000-memory.dmp

Filesize
88KB

Download
memory/6452-1621-0x00000172404C0000-0x0000017242682000-memory.dmp

Filesize
33.8MB

Download
memory/6452-1634-0x000001723D970000-0x000001723D97E000-memory.dmp

Filesize
56KB

Download
memory/6452-1608-0x000001723DA10000-0x000001723DA48000-memory.dmp

Filesize
224KB

Download
memory/6452-1640-0x000001723D9F0000-0x000001723DA04000-memory.dmp

Filesize
80KB

Download
memory/6452-1642-0x000001723DC60000-0x000001723DCBE000-memory.dmp

Filesize
376KB

Download
memory/6452-1644-0x000001723E2F0000-0x000001723E3C4000-memory.dmp

Filesize
848KB

Download
memory/6452-1606-0x000001723D9B0000-0x000001723D9CE000-memory.dmp

Filesize
120KB

Download
memory/6452-1604-0x000001723D890000-0x000001723D8D6000-memory.dmp

Filesize
280KB

Download
memory/6452-1602-0x000001723D8F0000-0x000001723D900000-memory.dmp

Filesize
64KB

Download
memory/6452-1589-0x000001723DE40000-0x000001723E2F0000-memory.dmp

Filesize
4.7MB

Download
memory/6452-1700-0x000001723D8F0000-0x000001723D900000-memory.dmp

Filesize
64KB

Download
memory/6452-1701-0x000001723DD10000-0x000001723DD26000-memory.dmp

Filesize
88KB

Download
memory/6452-1702-0x000001723DD30000-0x000001723DD8A000-memory.dmp

Filesize
360KB

Download
memory/6452-1703-0x000001723DC40000-0x000001723DC4C000-memory.dmp

Filesize
48KB

Download
memory/6452-1704-0x000001723DC50000-0x000001723DC58000-memory.dmp

Filesize
32KB

Download
memory/6452-1706-0x000001723DDC0000-0x000001723DDD6000-memory.dmp

Filesize
88KB

Download
memory/6452-1707-0x000001723DDA0000-0x000001723DDB0000-memory.dmp

Filesize
64KB

Download
memory/6452-1705-0x000001723DD90000-0x000001723DD98000-memory.dmp

Filesize
32KB

Download
memory/6452-1708-0x000001723DDB0000-0x000001723DDBE000-memory.dmp

Filesize
56KB

Download
memory/6452-1709-0x000001723E750000-0x000001723E788000-memory.dmp

Filesize
224KB

Download
memory/6452-1710-0x000001723E800000-0x000001723E864000-memory.dmp

Filesize
400KB

Download
memory/6452-1712-0x000001723E790000-0x000001723E7CE000-memory.dmp

Filesize
248KB

Download
memory/6452-1711-0x000001723E870000-0x000001723E8B6000-memory.dmp

Filesize
280KB

Download
memory/6452-1713-0x000001723E8C0000-0x000001723E8FE000-memory.dmp

Filesize
248KB

Download
memory/6452-1714-0x000001723E900000-0x000001723E93E000-memory.dmp

Filesize
248KB

Download
memory/6452-1715-0x000001723E940000-0x000001723E97C000-memory.dmp

Filesize
240KB

Download
memory/6452-1716-0x000001723E980000-0x000001723E9C0000-memory.dmp

Filesize
256KB

Download
memory/6452-1717-0x000001723E9C0000-0x000001723E9FE000-memory.dmp

Filesize
248KB

Download
memory/6452-1718-0x000001723EA00000-0x000001723EA3A000-memory.dmp

Filesize
232KB

Download
memory/6452-1719-0x000001723EA40000-0x000001723EA7C000-memory.dmp

Filesize
240KB

Download
memory/6452-1628-0x000001723DBC0000-0x000001723DBF4000-memory.dmp

Filesize
208KB

Download
memory/6452-1721-0x000001723EAC0000-0x000001723EAF4000-memory.dmp

Filesize
208KB

Download
memory/6452-1722-0x000001723E710000-0x000001723E73A000-memory.dmp

Filesize
168KB

Download
memory/6452-1723-0x000001723E7D0000-0x000001723E7E4000-memory.dmp

Filesize
80KB

Download
memory/6452-1724-0x000001723DE10000-0x000001723DE18000-memory.dmp

Filesize
32KB

Download
memory/6452-1725-0x000001723DE20000-0x000001723DE2A000-memory.dmp

Filesize
40KB

Download
memory/6452-1730-0x000001723DE30000-0x000001723DE38000-memory.dmp

Filesize
32KB

Download
memory/6452-1731-0x000001723EB20000-0x000001723EB3C000-memory.dmp

Filesize
112KB

Download
memory/6452-1732-0x000001723EC40000-0x000001723EC60000-memory.dmp

Filesize
128KB

Download
memory/6452-1735-0x000001723F190000-0x000001723F6C0000-memory.dmp

Filesize
5.2MB

Download
memory/6452-1736-0x000001723F260000-0x000001723F85E000-memory.dmp

Filesize
6.0MB

Download
memory/6452-1737-0x000001723EDA0000-0x000001723EEE0000-memory.dmp

Filesize
1.2MB

Download
memory/6452-1738-0x000001723F060000-0x000001723F1DC000-memory.dmp

Filesize
1.5MB

Download
memory/6452-1740-0x000001723FBD0000-0x000001723FF36000-memory.dmp

Filesize
3.4MB

Download
memory/6452-1741-0x0000017242690000-0x0000017242A0A000-memory.dmp

Filesize
3.5MB

Download
memory/6452-1742-0x000001723ED00000-0x000001723ED9C000-memory.dmp

Filesize
624KB

Download
memory/6452-1743-0x000001723EEE0000-0x000001723EF46000-memory.dmp

Filesize
408KB

Download
memory/6452-1744-0x000001723FF40000-0x00000172401C6000-memory.dmp

Filesize
2.5MB

Download
memory/6452-1745-0x000001723ECA0000-0x000001723ECE0000-memory.dmp

Filesize
256KB

Download
memory/6452-1746-0x000001723EFC0000-0x000001723F026000-memory.dmp

Filesize
408KB

Download
memory/6452-1747-0x00007FFABC930000-0x00007FFABCC99000-memory.dmp

Filesize
3.4MB

Download
memory/6452-1580-0x0000017223790000-0x00000172237A6000-memory.dmp

Filesize
88KB

Download
memory/6452-1757-0x000001723F960000-0x000001723FA60000-memory.dmp

Filesize
1024KB

Download
memory/6452-1758-0x000001723EF50000-0x000001723EF78000-memory.dmp

Filesize
160KB

Download
memory/6452-1759-0x000001723EC60000-0x000001723EC76000-memory.dmp

Filesize
88KB

Download
memory/6452-1760-0x000001723E7F0000-0x000001723E800000-memory.dmp

Filesize
64KB

Download
memory/6452-1761-0x000001723F860000-0x000001723F8B0000-memory.dmp

Filesize
320KB

Download
memory/6452-1578-0x00007FFAC1710000-0x00007FFAC21D1000-memory.dmp

Filesize
10.8MB

Download
memory/6452-1573-0x0000017223300000-0x000001722335A000-memory.dmp

Filesize
360KB

Download
memory/6452-1577-0x0000017223760000-0x0000017223788000-memory.dmp

Filesize
160KB

Download
memory/6452-1575-0x0000017223700000-0x000001722370C000-memory.dmp

Filesize
48KB

Download
memory/6912-1797-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download