gcleaner | hxxps://cdn[.]discordapp[.]com/attachments/1227169957398319168/1227171589611720795/ver3_release_file[.]rar?ex=66276f9a&is=6614fa9a&hm=dcb155aeedd867a6322a715992e51ef5b7d88163abda4988108ede14e4c355d4&

Resubmissions

09-04-2024 16:45

240409-t9j4bacf87 10

09-04-2024 16:41

240409-t68x9sga5v 1

Analysis

max time kernel
100s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1227169957398319168/1227171589611720795/ver3_release_file.rar?ex=66276f9a&is=6614fa9a&hm=dcb155aeedd867a6322a715992e51ef5b7d88163abda4988108ede14e4c355d4&

Score

10^/10

gcleaner glupteba redline risepro stealc tofsee vidar zgrat logsdiller cloud (tg: @logsdillabot)dropper evasion infostealer loader persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

tofsee

vanaheim.cn

jotunheim.name

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/5676-832-0x0000000000400000-0x0000000000652000-memory.dmp	family_vidar_v7
behavioral1/memory/5676-793-0x0000000000400000-0x0000000000652000-memory.dmp	family_vidar_v7
behavioral1/memory/5716-790-0x0000000000400000-0x0000000000652000-memory.dmp	family_vidar_v7
behavioral1/memory/5716-835-0x0000000000400000-0x0000000000652000-memory.dmp	family_vidar_v7
behavioral1/memory/5676-844-0x0000000000400000-0x0000000000652000-memory.dmp	family_vidar_v7
behavioral1/memory/5716-845-0x0000000000400000-0x0000000000652000-memory.dmp	family_vidar_v7

Detect ZGRat V1 14 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\dL78s3hDjeuUpHjg80UHUctd.exe	family_zgrat_v1
behavioral1/memory/764-699-0x0000000005810000-0x0000000005A50000-memory.dmp	family_zgrat_v1
behavioral1/memory/5344-697-0x0000000000890000-0x0000000000E0A000-memory.dmp	family_zgrat_v1
behavioral1/memory/764-721-0x0000000005810000-0x0000000005A4B000-memory.dmp	family_zgrat_v1
behavioral1/memory/764-720-0x0000000005810000-0x0000000005A4B000-memory.dmp	family_zgrat_v1
behavioral1/memory/764-727-0x0000000005810000-0x0000000005A4B000-memory.dmp	family_zgrat_v1
behavioral1/memory/764-737-0x0000000005810000-0x0000000005A4B000-memory.dmp	family_zgrat_v1
behavioral1/memory/764-791-0x0000000005810000-0x0000000005A4B000-memory.dmp	family_zgrat_v1
behavioral1/memory/764-827-0x0000000005810000-0x0000000005A4B000-memory.dmp	family_zgrat_v1
behavioral1/memory/764-784-0x0000000005810000-0x0000000005A4B000-memory.dmp	family_zgrat_v1
behavioral1/memory/764-762-0x0000000005810000-0x0000000005A4B000-memory.dmp	family_zgrat_v1
behavioral1/memory/764-840-0x0000000005810000-0x0000000005A4B000-memory.dmp	family_zgrat_v1
behavioral1/memory/764-860-0x0000000005810000-0x0000000005A4B000-memory.dmp	family_zgrat_v1
behavioral1/memory/8144-1442-0x0000000000400000-0x00000000004C2000-memory.dmp	family_zgrat_v1

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5264-1122-0x0000000005170000-0x0000000005A5B000-memory.dmp	family_glupteba
behavioral1/memory/5264-1229-0x0000000000400000-0x0000000003105000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5168-789-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/memory/8144-1442-0x0000000000400000-0x00000000004C2000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

6772 netsh.exe
6880 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

pid	process
6772	netsh.exe
6880	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 12 IoCs

Processes:

setup.exenbkL8JRPH3oFUeB3PHslUrSj.exeKograzv1x5E6KQV9L1zLFdSV.exeSd_Z2tUfYvdkl6DbIwO4IBLk.exe4MGIub_aglQ6Ip29B5OEp1Wl.exeBk7knsKWhu5R2Z_L4JuoKuae.exeZrOcXZEmqVB8XS_YvZBNZLRw.exeHjsqtEideoBcD2OOy3QX2OP5.exesH4rIgsigS9ivUW83AulimOb.exedL78s3hDjeuUpHjg80UHUctd.exehpmWYHhclrc51Lea4EbhdQzE.exeMAE9rjafP00aPAArTA53RIc3.exe

pid	process
4640	setup.exe
4676	nbkL8JRPH3oFUeB3PHslUrSj.exe
764	Kograzv1x5E6KQV9L1zLFdSV.exe
5564	Sd_Z2tUfYvdkl6DbIwO4IBLk.exe
5496	4MGIub_aglQ6Ip29B5OEp1Wl.exe
5172	Bk7knsKWhu5R2Z_L4JuoKuae.exe
5104	ZrOcXZEmqVB8XS_YvZBNZLRw.exe
4228	HjsqtEideoBcD2OOy3QX2OP5.exe
5264	sH4rIgsigS9ivUW83AulimOb.exe
5344	dL78s3hDjeuUpHjg80UHUctd.exe
5520	hpmWYHhclrc51Lea4EbhdQzE.exe
5156	MAE9rjafP00aPAArTA53RIc3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zO45A95CD7\setup.exe	themida
behavioral1/memory/4640-128-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-135-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-133-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-137-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-131-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-138-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-140-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-139-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-148-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-291-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-335-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-379-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida
behavioral1/memory/4640-698-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

125 bitbucket.org
310 iplogger.org
311 iplogger.org
72 bitbucket.org
87 bitbucket.org
100 bitbucket.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 api.myip.com
52 api.myip.com
57 ipinfo.io
59 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

flow	ioc
125	bitbucket.org
310	iplogger.org
311	iplogger.org
72	bitbucket.org
87	bitbucket.org
100	bitbucket.org

flow	ioc
50	api.myip.com
52	api.myip.com
57	ipinfo.io
59	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

setup.exe

pid process

4640 setup.exe
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

9088 sc.exe
5652 sc.exe
6856 sc.exe
1676 sc.exe
7892 sc.exe
8712 sc.exe
6700 sc.exe
2904 sc.exe
6496 sc.exe

pid	process
9088	sc.exe
5652	sc.exe
6856	sc.exe
1676	sc.exe
7892	sc.exe
8712	sc.exe
6700	sc.exe
2904	sc.exe
6496	sc.exe

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6620	5520	WerFault.exe	hpmWYHhclrc51Lea4EbhdQzE.exe
1080	5104	WerFault.exe	ZrOcXZEmqVB8XS_YvZBNZLRw.exe
7308	5520	WerFault.exe	hpmWYHhclrc51Lea4EbhdQzE.exe
7876	4676	WerFault.exe	nbkL8JRPH3oFUeB3PHslUrSj.exe
6736	5520	WerFault.exe	hpmWYHhclrc51Lea4EbhdQzE.exe
8012	1252	WerFault.exe	rgyfkinf.exe
6464	5520	WerFault.exe	hpmWYHhclrc51Lea4EbhdQzE.exe
8632	5676	WerFault.exe	RegAsm.exe
9056	5520	WerFault.exe	hpmWYHhclrc51Lea4EbhdQzE.exe
8180	5520	WerFault.exe	hpmWYHhclrc51Lea4EbhdQzE.exe
8720	5520	WerFault.exe	hpmWYHhclrc51Lea4EbhdQzE.exe
6280	8144	WerFault.exe	MsBuild.exe
2508	5172	WerFault.exe	Bk7knsKWhu5R2Z_L4JuoKuae.exe
8460	5716	WerFault.exe	RegAsm.exe
4728	5104	WerFault.exe	ZrOcXZEmqVB8XS_YvZBNZLRw.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6760 schtasks.exe
8128 schtasks.exe
6068 schtasks.exe
3668 schtasks.exe

pid	process
6760	schtasks.exe
8128	schtasks.exe
6068	schtasks.exe
3668	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

8108 taskkill.exe

pid	process
8108	taskkill.exe

Modifies registry class 3 IoCs

Processes:

msedge.exetaskmgr.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{0CE447B5-78A6-4FB0-9163-AD06CEE0FD5E}	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

8736 PING.EXE

pid	process
8736	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exe

pid	process
1624	msedge.exe
1624	msedge.exe
3868	msedge.exe
3868	msedge.exe
4744	identity_helper.exe
4744	identity_helper.exe
3000	msedge.exe
3000	msedge.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2644 7zFM.exe

pid	process
2644	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	process
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exetaskmgr.exe

description	pid	process
Token: SeRestorePrivilege	2644	7zFM.exe
Token: 35	2644	7zFM.exe
Token: SeSecurityPrivilege	2644	7zFM.exe
Token: SeDebugPrivilege	3816	taskmgr.exe
Token: SeSystemProfilePrivilege	3816	taskmgr.exe
Token: SeCreateGlobalPrivilege	3816	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zFM.exetaskmgr.exe

pid	process
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
2644	7zFM.exe
2644	7zFM.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe
3816	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3868 wrote to memory of 892	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 892	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3976	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 1624	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 1624	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3640	3868	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1227169957398319168/1227171589611720795/ver3_release_file.rar?ex=66276f9a&is=6614fa9a&hm=dcb155aeedd867a6322a715992e51ef5b7d88163abda4988108ede14e4c355d4&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe19a346f8,0x7ffe19a34708,0x7ffe19a34718
2⤵
PID:892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
2⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
2⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3276 /prefetch:8
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
2⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
2⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3976 /prefetch:8
2⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
2⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ver3_release_file.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2644

C:\Users\Admin\AppData\Local\Temp\7zO45A95CD7\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zO45A95CD7\setup.exe"
3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4640

C:\Users\Admin\Documents\SimpleAdobe\Kograzv1x5E6KQV9L1zLFdSV.exe
C:\Users\Admin\Documents\SimpleAdobe\Kograzv1x5E6KQV9L1zLFdSV.exe
4⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\Documents\SimpleAdobe\nbkL8JRPH3oFUeB3PHslUrSj.exe
C:\Users\Admin\Documents\SimpleAdobe\nbkL8JRPH3oFUeB3PHslUrSj.exe
4⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qvlzkevl\
5⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oaiflyec.exe" C:\Windows\SysWOW64\qvlzkevl\
5⤵
PID:1792

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create qvlzkevl binPath= "C:\Windows\SysWOW64\qvlzkevl\oaiflyec.exe /d\"C:\Users\Admin\Documents\SimpleAdobe\nbkL8JRPH3oFUeB3PHslUrSj.exe\"" type= own start= auto DisplayName= "wifi support"
5⤵
- Launches sc.exe
PID:6856

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description qvlzkevl "wifi internet conection"
5⤵
- Launches sc.exe
PID:2904

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qvlzkevl
5⤵
- Launches sc.exe
PID:6496

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
- Modifies Windows Firewall
PID:6772

C:\Users\Admin\rgyfkinf.exe
"C:\Users\Admin\rgyfkinf.exe" /d"C:\Users\Admin\Documents\SimpleAdobe\nbkL8JRPH3oFUeB3PHslUrSj.exe"
5⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pjomhkhj.exe" C:\Windows\SysWOW64\qvlzkevl\
6⤵
PID:7420

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config qvlzkevl binPath= "C:\Windows\SysWOW64\qvlzkevl\pjomhkhj.exe /d\"C:\Users\Admin\rgyfkinf.exe\""
6⤵
- Launches sc.exe
PID:7892

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qvlzkevl
6⤵
- Launches sc.exe
PID:1676

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
6⤵
- Modifies Windows Firewall
PID:6880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5056.bat" "
6⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1052
6⤵
- Program crash
PID:8012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 656
5⤵
- Program crash
PID:7876

C:\Users\Admin\Documents\SimpleAdobe\HjsqtEideoBcD2OOy3QX2OP5.exe
C:\Users\Admin\Documents\SimpleAdobe\HjsqtEideoBcD2OOy3QX2OP5.exe
4⤵
- Executes dropped EXE
PID:4228

C:\Users\Admin\AppData\Local\Temp\is-AFBFS.tmp\HjsqtEideoBcD2OOy3QX2OP5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AFBFS.tmp\HjsqtEideoBcD2OOy3QX2OP5.tmp" /SL5="$504DC,3472209,54272,C:\Users\Admin\Documents\SimpleAdobe\HjsqtEideoBcD2OOy3QX2OP5.exe"
5⤵
PID:5240

C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -i
6⤵
PID:3560

C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -s
6⤵
PID:6924

C:\Users\Admin\Documents\SimpleAdobe\hpmWYHhclrc51Lea4EbhdQzE.exe
C:\Users\Admin\Documents\SimpleAdobe\hpmWYHhclrc51Lea4EbhdQzE.exe
4⤵
- Executes dropped EXE
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 748
5⤵
- Program crash
PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 756
5⤵
- Program crash
PID:7308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 748
5⤵
- Program crash
PID:6736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 844
5⤵
- Program crash
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1064
5⤵
- Program crash
PID:9056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1324
5⤵
- Program crash
PID:8180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "hpmWYHhclrc51Lea4EbhdQzE.exe" /f & erase "C:\Users\Admin\Documents\SimpleAdobe\hpmWYHhclrc51Lea4EbhdQzE.exe" & exit
5⤵
PID:9040

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "hpmWYHhclrc51Lea4EbhdQzE.exe" /f
6⤵
- Kills process with taskkill
PID:8108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1260
5⤵
- Program crash
PID:8720

C:\Users\Admin\Documents\SimpleAdobe\Sd_Z2tUfYvdkl6DbIwO4IBLk.exe
C:\Users\Admin\Documents\SimpleAdobe\Sd_Z2tUfYvdkl6DbIwO4IBLk.exe
4⤵
- Executes dropped EXE
PID:5564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 2180
6⤵
- Program crash
PID:8632

C:\Users\Admin\Documents\SimpleAdobe\4MGIub_aglQ6Ip29B5OEp1Wl.exe
C:\Users\Admin\Documents\SimpleAdobe\4MGIub_aglQ6Ip29B5OEp1Wl.exe
4⤵
- Executes dropped EXE
PID:5496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 2176
6⤵
- Program crash
PID:8460

C:\Users\Admin\Documents\SimpleAdobe\Bk7knsKWhu5R2Z_L4JuoKuae.exe
C:\Users\Admin\Documents\SimpleAdobe\Bk7knsKWhu5R2Z_L4JuoKuae.exe
4⤵
- Executes dropped EXE
PID:5172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe"
5⤵
PID:7704

C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe
"C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe"
6⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe
7⤵
PID:536

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
8⤵
- Runs ping.exe
PID:8736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 2312
5⤵
- Program crash
PID:2508

C:\Users\Admin\Documents\SimpleAdobe\ZrOcXZEmqVB8XS_YvZBNZLRw.exe
C:\Users\Admin\Documents\SimpleAdobe\ZrOcXZEmqVB8XS_YvZBNZLRw.exe
4⤵
- Executes dropped EXE
PID:5104

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:6068

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 856
5⤵
- Program crash
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 912
5⤵
- Program crash
PID:4728

C:\Users\Admin\Documents\SimpleAdobe\L9Xyu21irZLT6YiZqVHlhcoH.exe
C:\Users\Admin\Documents\SimpleAdobe\L9Xyu21irZLT6YiZqVHlhcoH.exe
4⤵
PID:4788

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:6760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:8128

C:\Users\Admin\Documents\SimpleAdobe\aBrwDXhGhu0pnjQbv3OgCGMx.exe
C:\Users\Admin\Documents\SimpleAdobe\aBrwDXhGhu0pnjQbv3OgCGMx.exe
4⤵
PID:2400

C:\Users\Admin\Documents\SimpleAdobe\qt3aKCxVAsKoRiLDfS7Z73y_.exe
C:\Users\Admin\Documents\SimpleAdobe\qt3aKCxVAsKoRiLDfS7Z73y_.exe
4⤵
PID:6092

C:\Users\Admin\Documents\SimpleAdobe\sH4rIgsigS9ivUW83AulimOb.exe
C:\Users\Admin\Documents\SimpleAdobe\sH4rIgsigS9ivUW83AulimOb.exe
4⤵
- Executes dropped EXE
PID:5264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:9096

C:\Users\Admin\Documents\SimpleAdobe\dL78s3hDjeuUpHjg80UHUctd.exe
C:\Users\Admin\Documents\SimpleAdobe\dL78s3hDjeuUpHjg80UHUctd.exe
4⤵
- Executes dropped EXE
PID:5344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
5⤵
PID:8708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
5⤵
PID:8144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 1080
6⤵
- Program crash
PID:6280

C:\Users\Admin\Documents\SimpleAdobe\S85ItSdm5E3b3XcbKINGMxg2.exe
C:\Users\Admin\Documents\SimpleAdobe\S85ItSdm5E3b3XcbKINGMxg2.exe
4⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5168

C:\Users\Admin\Documents\SimpleAdobe\MAE9rjafP00aPAArTA53RIc3.exe
C:\Users\Admin\Documents\SimpleAdobe\MAE9rjafP00aPAArTA53RIc3.exe
4⤵
- Executes dropped EXE
PID:5156

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
PID:8680

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
PID:8688

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
PID:8696

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
PID:8704

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
5⤵
- Launches sc.exe
PID:8712

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
5⤵
- Launches sc.exe
PID:9088

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:5652

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
5⤵
- Launches sc.exe
PID:6700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1304 /prefetch:1
2⤵
PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
2⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
2⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
2⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6264 /prefetch:8
2⤵
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6272 /prefetch:8
2⤵
- Modifies registry class
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
2⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
2⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
2⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
2⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
2⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
2⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
2⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
2⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
2⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
2⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
2⤵
PID:6044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
2⤵
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
2⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1
2⤵
PID:6420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:1
2⤵
PID:6428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
2⤵
PID:6436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8588 /prefetch:1
2⤵
PID:6992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1
2⤵
PID:7040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:1
2⤵
PID:7080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9188 /prefetch:1
2⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8488 /prefetch:1
2⤵
PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9028 /prefetch:1
2⤵
PID:6492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8484 /prefetch:1
2⤵
PID:6244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9184 /prefetch:1
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9016 /prefetch:1
2⤵
PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10132 /prefetch:1
2⤵
PID:7012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=9556 /prefetch:2
2⤵
PID:7716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10540 /prefetch:1
2⤵
PID:8060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10636 /prefetch:1
2⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1312 /prefetch:1
2⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
2⤵
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
2⤵
PID:7432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10076 /prefetch:1
2⤵
PID:6624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11064 /prefetch:1
2⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11616 /prefetch:1
2⤵
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11744 /prefetch:1
2⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11936 /prefetch:1
2⤵
PID:6728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1865701226003916808,5369233882523385556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12080 /prefetch:1
2⤵
PID:3012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6056

C:\Windows\System32\qe8nmy.exe
"C:\Windows\System32\qe8nmy.exe"
1⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=qe8nmy.exe qe8nmy.exe"
1⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe19a346f8,0x7ffe19a34708,0x7ffe19a34718
2⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5520 -ip 5520
1⤵
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5104 -ip 5104
1⤵
PID:6916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5520 -ip 5520
1⤵
PID:7004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4676 -ip 4676
1⤵
PID:7420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x510
1⤵
PID:7852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5520 -ip 5520
1⤵
PID:7808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1252 -ip 1252
1⤵
PID:7700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5520 -ip 5520
1⤵
PID:8104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5676 -ip 5676
1⤵
PID:8564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5520 -ip 5520
1⤵
PID:9012

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
PID:8396

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:1064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:8656

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:8724

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:8756

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:8764

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
"C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
3⤵
PID:8876

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:8104

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:9028

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:8796

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:6700

C:\Windows\system32\svchost.exe
svchost.exe
4⤵
PID:9136

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:8388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5520 -ip 5520
1⤵
PID:7960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5520 -ip 5520
1⤵
PID:8816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5104 -ip 5104
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8144 -ip 8144
1⤵
PID:9092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5172 -ip 5172
1⤵
PID:8600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5716 -ip 5716
1⤵
PID:9032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5104 -ip 5104
1⤵
PID:8944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\MediaDevicePicker 3.0.194.66\MediaDevicePicker 3.0.194.66.exe
Filesize
2.6MB

MD5
4e3f67cc564188620890eb896f08d19c

SHA1
ff3776c4ab9964c2155d67fd6ad0e564a152db18

SHA256
d786f3ad57a5cf40dea1b4a88d62d6ec7fd4cc207a90159192ad97832f79dbbc

SHA512
dc21ee210ccea1a6ad5ffbc6a929e6455c6349c72122459e14a15eb15bb1eeb042a7532dfa3517d85323183a85b91e64d6d84ae3a0b734410b6691f7a3ea0d5d

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
9539346f11b9c39a31f1a2e84eeb7ad9

SHA1
7dae139e917bd4c773f17a83f1c99ad75baba295

SHA256
862a49d15a022936a284d5e80693ade5c30bb35fc3dce3adbf228de112faf7c9

SHA512
965586270b744903a3805c5bde66bebaeba90787bd4d6d42a9859740cab2e1d5d89085edc9170537557b4e5f9295d01a215045e8bfeb5c84dcb927941a90f4c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
2KB

MD5
4b94f4160798fc904f194ced0cba3f0d

SHA1
3c551a7559d9a59f7478bf5932cc4775a8ce48c2

SHA256
73e4a76a0eb7e5baaa9cc75240aa538d46f110154ea447a49dbde816daa29db1

SHA512
a1af1c6ab057ae9a2a5c8a8947441d58cdfea25f1e70b151bc1656b69d8cd54f3170b5e9e846dbf0c70f83421cc6e1f77bef68552eee4677cd42d04ae5790f50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
55044b8c59e31981d9d0c1b898cbcbbc

SHA1
13effc78ecfe9e51d36d384f0e1c1d17464a2c30

SHA256
a7ee337bfea245b33564ba8310d933c7bbc40bd69ae667f8b3df0bd9dd86cef5

SHA512
2262c86ea4bde6739a108e195dc0d9690931f6483a0a5c9cf90b6b641ba6f8ea23723f9cc3231ce8def1851cfbb9dd0941951dc18684c6bf3555d4d200db2622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
f5841b2df38f382c2d8b4b1d109c278f

SHA1
25ecf3f7ec115a4517bda3345ae812d1d95893bb

SHA256
344ccbeacb382ce25dc312e164b4111383a8f706e30343b0f343e3f6d3d6c9cc

SHA512
17689a6a466538cfe651104f1d2e7f3d2c16ac4fc32e9c95c678d3384e5efc4d18e1592e47cf0c8ed2d44ac71dda46eb51240b20074b8ffceaf6e390dbb0ed2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
fc3ca8cc52fed526855687a1b6af7f52

SHA1
8e1986092ad7872d9f3b334691f3a4a532dc99e9

SHA256
23a7ba79dd72a4ec56c818901ca08f34e48fa0db004de1e2ff6e84d22a1b78c1

SHA512
7683f3a4a3de909a3e131e000256511fc176e5aa1431bc99667da0898845862c4f877959fd3d28db5bd06eedfb64a0d452d4ae632fdfed42afa594908c6ff5c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
8db159b8696eb4db82c5cc8e0d01cde7

SHA1
e10551e124d0fd94334ecca8d85d590a28ac8c20

SHA256
2bf8b47fd2aa1c100d073a4be4a4cabdcdce73000cdf4de253b9c15a0ee69ac1

SHA512
3b80a3cb6ead86d1e0c636c364a4383165b09738c647720b92310d3bfa64705b840cd1094a29d324b1ce65be35da43f156dea604263ede91bd75eb5f372eec2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
49f9d1af376264d36fbaf253cc316de8

SHA1
8c35dad79574a3b439112be67060c66550e57d86

SHA256
7d3b2e29daacc6869b8723bb575f3685bce3061b04b48da48c6029d05473d29d

SHA512
b13eeebb50fff60c9cb5a8a27b7ef88d8a0229de802ad43c9afbfee30d75084ce3386f27e6e869c849a11d4aa0deb927c47326e9a0575c244e9dd57b28000100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7a6b4efa-637e-4fca-8dd0-e4022f1db1e1.tmp
Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e
Filesize
73KB

MD5
8bf265e3659fca32fb21573a9bf49650

SHA1
94cca49deabb5508efe2b68ab37f89067c3c1f9f

SHA256
747266fa0ec745fd51bc505946bab608dd77bd0609fc417d35d8585491ac8226

SHA512
56cc346d883aa97d5f6ddd63295c381b067f7593e15afb22941cec3a02299f12f2fde78e8581936e07b1bfbee7ba33e603e6e47420b66e20c056e2ff14a1ba7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c8c3db8b63160e84_0
Filesize
255B

MD5
7802faf2192aaa8e4e9e372eb6b02e96

SHA1
9a0124548f9610105cd3fff1724e600d610440a7

SHA256
459280c543a251fbd61578b1993476942bcb1cc4fb7d292c21e8bbcdc755bb6b

SHA512
2974ce3e28cc19f0c8abb2022f031f7d058d6357aad3a976b9af3ff720714da6cd5fd02589ec036d23451557d7ad283fe68b8db8cf0e01fb24edb19be8ee97f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
186B

MD5
859cf9cd77c9a6bd5b0af56f08fb5128

SHA1
d62387a78e8a1643ba3117187479da14bce1b65c

SHA256
d16c0bd72e9deb73d2e3a40eb21ac668477363c33e58765884b1663324a4eb05

SHA512
e60f5d7000507794a20316c7110fbee3f1d9b02efdba877bec150d5d63939eff3aa9fbba758709a8094c65a083b158840563a8e8399b64e16a077d12a1cb8fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c85ba079886275c87225d51cf4e2edb8

SHA1
bb93b7e9bddb9923c051bbfe9e6c1e7dfb6a5753

SHA256
79c4e7cc1fea6a4131271b34357ec5fc63b2af4cfdfad7656a2e3226a4cae169

SHA512
9cabc214589d5509c019ea310ab7136c414438d8e83f5e2444dd3975bf6839a49f4ee77b26ce513d29b72542a427dadc57690f7c4382496d71a0abddb27537b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
15714702418fd00440385542cb52c31c

SHA1
990a45eb14e1fd13cef8eb49351ac7de2a287348

SHA256
6070622b19720c7dfda139fd632b94dc614f01342f4be4f03736a418a3c6c76a

SHA512
f61a888e579fa7eddfe68e0a28ffd47d0e42e98e1e01f6000c512bddf087007bc5d25fc72aa9672151613618ef0522b06bcfa3c54b00af0cf14f57203c127918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
eb8764f7d256cc757270bb247faaac91

SHA1
fe59c556984c982ef272709585225c0317aaace0

SHA256
3d5fb305682ca5509efaba6ee0f104d2bba763ad9e6223fc2ad2be2412bea024

SHA512
902ca71292aebfb6576abdd8ff35245dcaf8329fecfeb2a9f4c4d9b45e34ebe0490809b6818e04e87a8161190d4dad750795f75e0afffc80cf9bb3ac90bf028f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e7a6da1983984d435e3cc900298883e9

SHA1
bf3adf4e0832ba5491742c653e22d721042cdd8d

SHA256
4659e1e1eaaeaec1c2ebd97db57746fb569db7c6b1bb1d96a421405202ff414a

SHA512
b86f5a43c8379096bf0141959239144ff071d418a49f01e1803a44c49f9ca5d16698a9b300b27f336898659f9df81c253b8366c004cccbca4073a001174d036b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b163057a0eb638e9d665d04b93d56339fb99e052\1e9e4feb-6b31-450c-a875-c3f6d5d3add3\index-dir\temp-index
Filesize
72B

MD5
70d8dbcf057db757ae64bb154bd6edae

SHA1
2094a726624cfacc008fe6f238cc1bd76dc91288

SHA256
a2ad32cee8795dcdda8b3477fac15b0be7a83352452a2200f4d0ec346ecf4b24

SHA512
9f657508f05b512a14d8272d09f3abdc1bee2eb154018203177460d18f8e74baf8f8c05d3a5de3fa5706b854ce4d0426ee78dfe830b3cf598d991c13b951e8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b163057a0eb638e9d665d04b93d56339fb99e052\1e9e4feb-6b31-450c-a875-c3f6d5d3add3\index-dir\the-real-index~RFe5918ce.TMP
Filesize
48B

MD5
3ae1a1d92c4bb44b58a70b07e6a74e6a

SHA1
89ec1e8d81a7c499da3a4e24076c86e945e6bf03

SHA256
7d7bf4e7a3e4b7a45b2aca08045608d6b860cf21e4d69f4cc5408b43de676b6b

SHA512
8d181937455f655a822bc9a47b0a83f6fcbd374c307b431efbe30d833c41482fa6adfa427493882020ba6bbcc0620dd9357cdd08df26cb086fa3fdc90b59d492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b163057a0eb638e9d665d04b93d56339fb99e052\index.txt
Filesize
99B

MD5
be455f1c0b848315ab6677f6cf0db16d

SHA1
03ba593f0adfb54640cfcb2565f788670992f3b3

SHA256
dc2bc9d536b14206a482fa7a835446f930e06511d34a5075f4e636752f6df790

SHA512
909181d7956fc8c8381aa3cf838c7fc15c5f08696961866977d0701d4ae0787df7fd5dbcfddaef965f1e8ee08c0a43988de50a3d75c5ddcb14f8fee135d9ecb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\b163057a0eb638e9d665d04b93d56339fb99e052\index.txt
Filesize
93B

MD5
c1eb68fcb6218418299c0af412f9a2a0

SHA1
5fad81040690d157d3ac5853658cbe9c2d45e746

SHA256
7b000a5409b75d65b8cc46225bbf01f6a07949c0b0154b744f19e870c681143a

SHA512
67e29d991a4a9b7df03e66d52ec86749266f0ab9c58e5450bf909d83d2925394f5438707d7b1e4d262c29bf448103453a49b7c3eeca43542c1bbd906b5a1b5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
1571401beef5ad1ff30bedc7b67b13fe

SHA1
171f9a4199293ecf9c92c30207d97f9db914203c

SHA256
55772495c74e61038f1492f62a4921726b830cc2db55c02413f945705e4403bc

SHA512
30906820f191af6cfe7eb346255695eb5729ba19a6d10b2016af826728013d915397f0d9d9117a33a061095719425b4e64f67520c13a8f480cfa8fcddf7f474d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591766.TMP
Filesize
48B

MD5
4fda726ccd9d9ab556ef9929d4b97a31

SHA1
8b0464c86a6c33335cb5496f5de19c632cf7f460

SHA256
5c4e2ce18082f4e626d90d9cf8e89b25feb9109fe3fc27b1efdf4ac7976c75b3

SHA512
d7a878fc851d6b69345e192d05e9049c9a0f011c4dc39b0b6de5b3ac1abba32f6b95dde3fa7c1d3991e4a1f5e55a1e28c7de0005cc6d6f066aff48c69f01a7a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
a164037d38e0c5471c499add057d6461

SHA1
362aaaf9a0454d9c4e2a7a0c24af7bb2bf065a8c

SHA256
94f06f10e604204402c48a5e56143d21563f36fe18a916086621b5943afe23d7

SHA512
703680468428b3726665438ecbaf0bb303f26042dd2fc95bc625eada6f10d205d08a64fea8287fda692d5a6b68d27223151a6854ac31c8838698bfc3447c7564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b70400256c0bf6b75b7ff4798b695e57

SHA1
f699c5d21a22a5a3b81cf6b931e09c5ad0e322de

SHA256
b24c20a928f2d8f6380a5633a66dc950bddd124d51bd9d7bbf3c96d853a75f92

SHA512
9b20b65877b052c2f397550ce5074b26dab7ec7be1e7c2897381bcc80e26915cfdc3385d2e1334f44ba325fd5e1ce82bce4634bf055626f0c09d0195847d305d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e6a2.TMP
Filesize
370B

MD5
86b9b887ad1943f6c169cb39893d7dd3

SHA1
14e94028ff1ef0060d173bdb37c48905196012b9

SHA256
9f58fb1336d9554e3a850d94980373717e184f0739d3273f2e1ec59404b2ff42

SHA512
6c9b6a141a6688a10e96feadfc9b9c7ab83d1773f6e41b8d3299e77102aae5f1997227c68329ed620aea813f3f400eacb43a29b4803c8dfc5019b1ad078f6501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
e074d16bf0378a5d3d95a5c7a24ea6d1

SHA1
71070427e18661667675bdcdd11b1f08ac34f3ee

SHA256
c82809a54f7b2f1ec292253a5db9a93d55b7ce81fdcbe0b2a597dc099a67fe0c

SHA512
6a9f2bfaef5fbc4a74b3e91c5b582d0dc639a8fa884b7e94b88fdc89c3c49a1ed247bcfc2dfe442eee047214bba2b7a1fccc1cdfd4bc3875ccc46226ae1d2a06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
76382b0fa1c752b2b141252c5b39ff2e

SHA1
0b6f635e94f0a409a93f583763f783a7e34c40af

SHA256
bb6eb70bf670be8c29ea38a3819a0fed4db2a6e0a15a14358854547b6fd25ad3

SHA512
2e75f1434090d7fc8e1cf3b67f458af908d248b5b8098339908633464d1bed710b30d8416ee271c4554329e814f116a4f821b022c9559074463b870e6b2e9c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO45A95CD7\setup.exe
Filesize
759.0MB

MD5
ecd36a87035b88802b3c4f773cac0111

SHA1
3c28b5ef80d4426d6581cf28ca77277f3f16e2cf

SHA256
8b956cd61b9ac4136b0116e82921f9caa51a88243f903714024e0a8ae825eae1

SHA512
d477daf4c1aeb34eba8fc83f34f9aac43cef5bb2536f43a287c238708234e4ecfc4e6dd64e1ce520d85d3f69d839443656a9d140e0ee078b0424353af9467689

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2oaxwcuw.hzu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AFBFS.tmp\HjsqtEideoBcD2OOy3QX2OP5.tmp
Filesize
680KB

MD5
f4eb7ec73b1f68f9ab859123c0e62c29

SHA1
3c9e5102a023a42ccdc0bf743a443fcf574c0c45

SHA256
9080e6e39d137f68c16e215b664e2f8301d509688b9d5eb21feb0737957e1d01

SHA512
d3988397c89f364da5a9999327a41299dde8a15ca1405aba518402d85fa5b1f0dc962c684b2bc9c1d6fb135c8061c3e22e3606ff100001a2f0a033b71713d0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TKUCU.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\25nKD16je3DEDRxa_uXnnfEx.exe
Filesize
6.3MB

MD5
f44ea65055a0760734e533f3da0f132f

SHA1
c1802748875bd09e92b199e9dcca49060239b5ac

SHA256
1f742a43dd74439c8f7c7ff60e957abea626d1a174061180cfe930877435afc8

SHA512
ae89d8359552ac91501ec33f589acdf3343f58869fd9494960cbcde5023de9d5aae867d4bd48e07c2f8d22271860e4ca975a8d67f790b9c25e068a85e952a67b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\4MGIub_aglQ6Ip29B5OEp1Wl.exe
Filesize
253KB

MD5
69f51d645ac40b9d8a721384a45cba82

SHA1
16dd1447affa5da4e619a4652f370f3f49c99d0b

SHA256
da0fd75e069222661afe3bc96b0e337e4f329a9dd8c4e14b482007c52533e902

SHA512
cc66b79fd0eb3e7d5d3bccbc0ffd849db1782a895fc83e165375e921963a08e82e4e93478e37f8339969137566cf55c2416c23b433a4a6eac771b4728a4b3424

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\4MGIub_aglQ6Ip29B5OEp1Wl.exe
Filesize
253KB

MD5
de33827df17a7b4a68457619cbb81e09

SHA1
a8e6b9185b908c1a1f0102bc197856a5da0f6c84

SHA256
462fb0f2405ec6272c3ce13a94ed0eebfbe2aaa7187e2ac207b15800c1e729b9

SHA512
4e1d52a9267192cf2f9dd52b37561f718f5bef6aa43554e16eb87944506fe959ff2f60ae22b83949bcae8608354e6e0ed454cdb8d2b609b3a370646a01f44d86

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Bk7knsKWhu5R2Z_L4JuoKuae.exe
Filesize
272KB

MD5
f24a96895cd74a2638cf9243b63f1408

SHA1
67a282341ddc5668ab54aa12840adf799c5a7673

SHA256
4fd5a10d3be2a46e62e88ada79da9319d4c8035add6541c9ffc8df5de4ae2c05

SHA512
62a1312166ced2b5ae92f8554cac7741b97c56d238a5b8816825e65e5266124b2a5e8e439e3aaa7c890c64ecc57e96a29e35fc27bf5bb008be6737e41cb93781

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\D2dWI8yDd1XhMXum8P_AzE8A.exe
Filesize
4.2MB

MD5
b84900261c49889032704a36eeb9bda1

SHA1
661a2e5adc687bd453089c70845fb519f095f6e8

SHA256
508e56dc07d7effe7f1e60e523d19e68bf9fb57598d6878f09d331adc19152ef

SHA512
e75285f23ad7876ca3715f3f653c2fe6d60ddb983c6df22e9775a08aeadc8c8675eec00fdbe51b049df5b4e584a808102260c5aad00ed5d4b3a1915795cc41ea

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\HjsqtEideoBcD2OOy3QX2OP5.exe
Filesize
3.7MB

MD5
ccd22f3d11c0fca2221726b71c3e5b9a

SHA1
c72e23366c8b56aa6ee681594a1e7aa83f87881a

SHA256
57b92b5241a9ed1c7642a01530b6c58f6f86a0312eb6353c4c14c53975669a84

SHA512
877a2fd950eee619e47b2a777a66d9d8d03f404161c75385bdae4d35e7a25df9846419ce81af46784150ab97b74652b61527b61eebca10c07dbcddca9676d723

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Kograzv1x5E6KQV9L1zLFdSV.exe
Filesize
2.4MB

MD5
584aec4c37518580065952985c2310b2

SHA1
cc5ae3f40f0b90f0f4f2ba5f1a164532d507e3c3

SHA256
c943e934d4f4e710036e890c64ec6670d085882e0b478599c26c11feddefefb0

SHA512
39df7fbb40867cb561de7d38ab455c668a57be74a965a3b69da406a1e93447a301861c6e7e05b871bea2c63feac6cbd745b4a1db01b54e3f204f9b9f562b6b1b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\L9Xyu21irZLT6YiZqVHlhcoH.exe
Filesize
5.6MB

MD5
5840a19b416015c7726b599358cf7882

SHA1
95d4b6d985ce643449921d43e2a06d0b920706c5

SHA256
887abc754fb73b1fe0095a3897d81c0e6b8925cd9b40a2a25ab2974ea669bcd4

SHA512
dedd41375161733e7c8564c7658704c7324b4ac38193eee3fbeb3435c2a3fe8fa4e840759a763b2023e1d36bd101bce456cd6af6d2b4787056c162fa45522702

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\L9Xyu21irZLT6YiZqVHlhcoH.exe
Filesize
5.6MB

MD5
2019322ea56c5b80294770f6018bddc1

SHA1
19285ecd68a4d9b957f87502c555dad437cfeb8f

SHA256
0823c2f58d094e1c096ae9184acf0b930df6dff97d0cd77728dc3ff07f9c0096

SHA512
092b6a5e503da5057fb569ba439dff8dea9c79ce6a036f460543ebbc7eb5de9bc206f5283c26f9f38e4ed027fb9b99336c199c7446e9e1bb3b973e71e11683e0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\MAE9rjafP00aPAArTA53RIc3.exe
Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\S85ItSdm5E3b3XcbKINGMxg2.exe
Filesize
310KB

MD5
4585644cc545e760b8e2412036538279

SHA1
118a32c87de05732454bbdc1223b98be1f9feb45

SHA256
8637ccd114da9df8652f5177afa2707d78ddb60f938ca62ea3801c08c84d7b73

SHA512
14b1cc2780b2d97067b7350cadde570a6a340391663a1362fe28ee7553787bfabda7b313b69bce74e83ee0b4cc8f4827ffeea588ed89fc3dfccbd522bd10f8fd

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\S85ItSdm5E3b3XcbKINGMxg2.exe
Filesize
310KB

MD5
057286b935c67ecd4dd02f20b280efda

SHA1
afaa2d2041b6139549ea3785656cc5ccdb4a7d08

SHA256
816a0d255e2c87e93f026d220d4d9e3dbb72a9897d3bae79c6748db16c25265b

SHA512
5bdc11cb5eb6c299be2a3ea0ce0cabd1a3c7a42f438e6f46077e7d25d1814cd6241b2c2021757b232e29a841be5c65a3ef855b20e589e853f02e0465d24b7161

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Sd_Z2tUfYvdkl6DbIwO4IBLk.exe
Filesize
253KB

MD5
9c62b2cace38bbed4e624bbd2d36ef42

SHA1
d2a023ed67b4fb0e77e54ea835f1cec763e03e48

SHA256
08c1d7fdcdebaa5fe76dd7c18d96ba32ee6577a43f3d4ed68d0b360531980f8c

SHA512
79bd7c8ee9815ed5bf49737b6e260f989ba75f62d54171b038b6b4acbe8b043b6d0ea82877dd59aba7901e017293dd605d2af9b771d4b6ba375a9966bead81ea

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ZrOcXZEmqVB8XS_YvZBNZLRw.exe
Filesize
875KB

MD5
e03cf843bdb999b5ae92e8c8bda832aa

SHA1
a186ea95d3d552e7f3c2ce0013eaa9899baf652c

SHA256
479c85e8cba2d4eeebf3db349b9004a9ca6a4e20f45a651a15e50b01e461c170

SHA512
f522d591a1c4de75c21a2c034bef6cea3a471c9e5ae41a65b5d0f9c9404202828f36d3f88327924dee27245fa4ac1b28e8ab9387b1d61c23963faff9efc3627e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\aBrwDXhGhu0pnjQbv3OgCGMx.exe
Filesize
5.5MB

MD5
fa88d1c7d5a92118cd8c607b1330cb57

SHA1
24b3f6d3409e42baeebd7cd08cc27ce1b6c8d2e9

SHA256
538f359fbe8a044fcec6a9962a39922608bc416c4fd6b3e15a2a659a689e9f56

SHA512
54d53cfc8c1455e11b694bf3dbb972aba7f79113da8250f4c996fa11017b93f677a1aafeb9cda774608b00de2154f7ad2d27e2625844043e98418f4bdf3d62c9

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\dL78s3hDjeuUpHjg80UHUctd.exe
Filesize
5.5MB

MD5
6fd0036a01c8e08fedf3ea04ff8b4327

SHA1
1b255d890977f7cca4f2e864e6c9433e3d1a8d3e

SHA256
ab01dc951f77c78e2e7220b89a2ba30e688b9e78f0a6e2b79ac7f939585d05f2

SHA512
6531887b5f7035c9f9db18652d0260a8cc25b9ccce8969ae3f71ca310d3a7081c6c2fd24f236a6ec3daddde24cbf862a5e433aa8c5575825b02168cc4ee4a9bb

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\dL78s3hDjeuUpHjg80UHUctd.exe
Filesize
5.5MB

MD5
cececbb3f6729042e4e526770768e217

SHA1
2db4aeccf35972bce927adb063098171bf982fc1

SHA256
9544c306872ba30be9c4738e8d4621496d4a34915f24af356905ab0f8de01066

SHA512
894f67862ed69dd21e1fb5399e9af1e4ef4a955902f172b5ee19bdaf880f38f5d3cd518459fa59de63f5b295e31adf6f3bf7a7f7562dd2e38e466044c9b9da9e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\hpmWYHhclrc51Lea4EbhdQzE.exe
Filesize
299KB

MD5
3d4ee9d5726a2c3209d02fc310e9f82b

SHA1
5db365d8a8bfe38b5e7906734e471471e3eda0c3

SHA256
593d9d5211b41d0480b18a02563cfcbefc5868e909aef2e44a2645276742a997

SHA512
a130b3c001568a585c0cc31f603a9afd7a41b6a60436dd0d45c1ba8e888c20c42b59fc01d558fefb34bd385ab48a19c934fe93b150e9bbe6ba4718013e8c90e1

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nbkL8JRPH3oFUeB3PHslUrSj.exe
Filesize
274KB

MD5
87c9a9ba72b96d2ff468263ef36b9b8d

SHA1
f3172f187b439d8c1cec716cbf6cbe984c4ae5ca

SHA256
b401e6479faf0f1689133e19d4e5215f14ab78078f6d8d8997b5db3725245858

SHA512
95e3bff2e49ae7bc9174f10f9dceba267e28118279efd2ac89981c0089d774592578674569b2620512328f9c17955091e271cd91a2c5e7ffffd784bedfbe1950

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\qt3aKCxVAsKoRiLDfS7Z73y_.exe
Filesize
5.5MB

MD5
5efb20ecf468b1655161f6644597f817

SHA1
d8889d70b8810f78ac8f1e505e7f1cc53902caa6

SHA256
c17d9e85a57cb25faf209c3d4e3478b7c746f3ba0c9b2a7ac79c66cf8b90202a

SHA512
565f29fa5d988cb94d9b1c88806c48a88ada361064f95a32f3088fbe5e22633a0163286f75abc103e8411f8a6d43e347f04a8bf4d4bc490c0d00bbab6089e758

Download Submit
C:\Users\Admin\Downloads\ver3_release_file.rar
Filesize
11.2MB

MD5
a58741d016d402019ab53477fd58d8a7

SHA1
795678c7f0a514edee7195ec70e1b3195a9c3fe1

SHA256
3ea1e1a174c2142f3555390abc038568079b822e1ad3aa542c184ef296f848af

SHA512
dc631db4b8fea6f3725a62a4ffcd1e97ad7b26e6f47f712bc5a0f1171da4130586342fa7e04b4f14b4f907388a166d93bf2aaf376b9c07aedfeaab44e4cd1663

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\??\c:\users\admin\documents\simpleadobe\kograzv1x5e6kqv9l1zlfdsv.exe
Filesize
2.4MB

MD5
19e47ecbca6b4211af977eb3141d0cdc

SHA1
98e30f7fb85a36fd08a32df9b2b1a50ac1176790

SHA256
59a86691000c616b9b5f9530f25545a736246e7d225cce03ed8ab3bc077893ec

SHA512
1378896294c5c1385b39820e6945d75fe7c2c32427e5cd3ec41252dddb23a8ab39b90747da67735dbbaacf14fc659ca33a8c5acabc539e370cfa4c97f1566e7c

Download Submit
\??\c:\users\admin\documents\simpleadobe\sh4rigsigs9ivuw83aulimob.exe
Filesize
4.2MB

MD5
73f3908dfa18707456c09a56fd5ac249

SHA1
e244db5df5cbe9c9451d1ef95a5e7c8d2c072902

SHA256
d6f68090d9f8bd8743da29d8041627e655d7844dd1091a220257af71e262d94d

SHA512
b6ecc4e97ffb8a763f503a565d6ed351aaedb6a4c1007579551a9c0b84125e58309f6b4440caf59ce729bce58dda8371311e7817f96852da8bab6c2fbeaafae3

Download Submit
\??\pipe\LOCAL\crashpad_3868_HVQMVTKXLXQMMPOC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/764-721-0x0000000005810000-0x0000000005A4B000-memory.dmp

Filesize
2.2MB

Download
memory/764-706-0x0000000006000000-0x00000000065A4000-memory.dmp

Filesize
5.6MB

Download
memory/764-727-0x0000000005810000-0x0000000005A4B000-memory.dmp

Filesize
2.2MB

Download
memory/764-860-0x0000000005810000-0x0000000005A4B000-memory.dmp

Filesize
2.2MB

Download
memory/764-840-0x0000000005810000-0x0000000005A4B000-memory.dmp

Filesize
2.2MB

Download
memory/764-737-0x0000000005810000-0x0000000005A4B000-memory.dmp

Filesize
2.2MB

Download
memory/764-762-0x0000000005810000-0x0000000005A4B000-memory.dmp

Filesize
2.2MB

Download
memory/764-784-0x0000000005810000-0x0000000005A4B000-memory.dmp

Filesize
2.2MB

Download
memory/764-710-0x0000000005B30000-0x0000000005BC2000-memory.dmp

Filesize
584KB

Download
memory/764-685-0x0000000000D00000-0x0000000000F66000-memory.dmp

Filesize
2.4MB

Download
memory/764-720-0x0000000005810000-0x0000000005A4B000-memory.dmp

Filesize
2.2MB

Download
memory/764-699-0x0000000005810000-0x0000000005A50000-memory.dmp

Filesize
2.2MB

Download
memory/764-791-0x0000000005810000-0x0000000005A4B000-memory.dmp

Filesize
2.2MB

Download
memory/764-827-0x0000000005810000-0x0000000005A4B000-memory.dmp

Filesize
2.2MB

Download
memory/1252-1226-0x00000000030A0000-0x00000000030B6000-memory.dmp

Filesize
88KB

Download
memory/1252-1239-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/2400-1243-0x0000000000980000-0x0000000001383000-memory.dmp

Filesize
10.0MB

Download
memory/2400-1246-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2620-725-0x00000000006C0000-0x0000000000714000-memory.dmp

Filesize
336KB

Download
memory/2620-861-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/3560-876-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/3560-834-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/3816-100-0x000002221EB90000-0x000002221EB91000-memory.dmp

Filesize
4KB

Download
memory/3816-94-0x000002221EB90000-0x000002221EB91000-memory.dmp

Filesize
4KB

Download
memory/3816-124-0x000002221EB90000-0x000002221EB91000-memory.dmp

Filesize
4KB

Download
memory/3816-123-0x000002221EB90000-0x000002221EB91000-memory.dmp

Filesize
4KB

Download
memory/3816-112-0x000002221EB90000-0x000002221EB91000-memory.dmp

Filesize
4KB

Download
memory/3816-122-0x000002221EB90000-0x000002221EB91000-memory.dmp

Filesize
4KB

Download
memory/3816-96-0x000002221EB90000-0x000002221EB91000-memory.dmp

Filesize
4KB

Download
memory/3816-95-0x000002221EB90000-0x000002221EB91000-memory.dmp

Filesize
4KB

Download
memory/3816-101-0x000002221EB90000-0x000002221EB91000-memory.dmp

Filesize
4KB

Download
memory/3816-111-0x000002221EB90000-0x000002221EB91000-memory.dmp

Filesize
4KB

Download
memory/4228-678-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4640-312-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/4640-130-0x00007FFE00000000-0x00007FFE00002000-memory.dmp

Filesize
8KB

Download
memory/4640-128-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-335-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-137-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-131-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-138-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-134-0x00007FFE00030000-0x00007FFE00031000-memory.dmp

Filesize
4KB

Download
memory/4640-132-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/4640-133-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-129-0x00007FFE284A0000-0x00007FFE2855E000-memory.dmp

Filesize
760KB

Download
memory/4640-140-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-139-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-322-0x00007FFE26100000-0x00007FFE263C9000-memory.dmp

Filesize
2.8MB

Download
memory/4640-148-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-135-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-291-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-698-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-311-0x00007FFE284A0000-0x00007FFE2855E000-memory.dmp

Filesize
760KB

Download
memory/4640-379-0x00007FF7A0650000-0x00007FF7A0EAC000-memory.dmp

Filesize
8.4MB

Download
memory/4640-136-0x00007FFE26100000-0x00007FFE263C9000-memory.dmp

Filesize
2.8MB

Download
memory/4676-1147-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/4676-774-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/4676-724-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/4676-730-0x0000000004940000-0x0000000004953000-memory.dmp

Filesize
76KB

Download
memory/4788-749-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/4788-1235-0x00000000006B0000-0x000000000104A000-memory.dmp

Filesize
9.6MB

Download
memory/4788-761-0x00000000006B0000-0x000000000104A000-memory.dmp

Filesize
9.6MB

Download
memory/5104-709-0x0000000004A70000-0x0000000004BBF000-memory.dmp

Filesize
1.3MB

Download
memory/5104-722-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/5104-1259-0x0000000002FE0000-0x000000000308E000-memory.dmp

Filesize
696KB

Download
memory/5156-841-0x00007FFE289D0000-0x00007FFE289D2000-memory.dmp

Filesize
8KB

Download
memory/5156-1251-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/5156-1309-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/5156-848-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/5168-1113-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/5168-1509-0x0000000006D10000-0x0000000006ED2000-memory.dmp

Filesize
1.8MB

Download
memory/5168-901-0x00000000050A0000-0x00000000050B2000-memory.dmp

Filesize
72KB

Download
memory/5168-911-0x0000000005860000-0x00000000058AC000-memory.dmp

Filesize
304KB

Download
memory/5168-864-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/5168-885-0x0000000005E80000-0x0000000006498000-memory.dmp

Filesize
6.1MB

Download
memory/5168-888-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/5168-1258-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/5168-905-0x0000000005100000-0x000000000513C000-memory.dmp

Filesize
240KB

Download
memory/5168-789-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5172-859-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/5172-866-0x0000000004950000-0x0000000004977000-memory.dmp

Filesize
156KB

Download
memory/5240-1264-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/5264-1111-0x0000000004D70000-0x000000000516D000-memory.dmp

Filesize
4.0MB

Download
memory/5264-1122-0x0000000005170000-0x0000000005A5B000-memory.dmp

Filesize
8.9MB

Download
memory/5264-1229-0x0000000000400000-0x0000000003105000-memory.dmp

Filesize
45.0MB

Download
memory/5344-1431-0x00000000057BC000-0x00000000057BF000-memory.dmp

Filesize
12KB

Download
memory/5344-694-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/5344-1405-0x0000000005B10000-0x0000000005CA2000-memory.dmp

Filesize
1.6MB

Download
memory/5344-1417-0x0000000005F40000-0x0000000005F50000-memory.dmp

Filesize
64KB

Download
memory/5344-1429-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/5344-704-0x00000000056A0000-0x000000000573C000-memory.dmp

Filesize
624KB

Download
memory/5344-697-0x0000000000890000-0x0000000000E0A000-memory.dmp

Filesize
5.5MB

Download
memory/5496-726-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/5496-869-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/5520-847-0x0000000000400000-0x0000000002D28000-memory.dmp

Filesize
41.2MB

Download
memory/5520-788-0x0000000004960000-0x000000000498D000-memory.dmp

Filesize
180KB

Download
memory/5520-786-0x0000000002E80000-0x0000000002F80000-memory.dmp

Filesize
1024KB

Download
memory/5520-1489-0x0000000000400000-0x0000000002D28000-memory.dmp

Filesize
41.2MB

Download
memory/5564-868-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/5564-731-0x0000000000FE0000-0x0000000001026000-memory.dmp

Filesize
280KB

Download
memory/5676-793-0x0000000000400000-0x0000000000652000-memory.dmp

Filesize
2.3MB

Download
memory/5676-832-0x0000000000400000-0x0000000000652000-memory.dmp

Filesize
2.3MB

Download
memory/5676-844-0x0000000000400000-0x0000000000652000-memory.dmp

Filesize
2.3MB

Download
memory/5716-790-0x0000000000400000-0x0000000000652000-memory.dmp

Filesize
2.3MB

Download
memory/5716-845-0x0000000000400000-0x0000000000652000-memory.dmp

Filesize
2.3MB

Download
memory/5716-835-0x0000000000400000-0x0000000000652000-memory.dmp

Filesize
2.3MB

Download
memory/6092-1233-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/8144-1442-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/8144-1491-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download