sectoprat | 4b580fb4ad57c5fc8820fc8b03f10c23e6760e5ae82bfad1e74837eb4cfc1b14

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YTOEOXNI.msi
Size

11.5MB
MD5

9248af81884e42bbe88c68301645ed71
SHA1

befa771be695135a36f0b01baeddf93d90b001a6
SHA256

4b580fb4ad57c5fc8820fc8b03f10c23e6760e5ae82bfad1e74837eb4cfc1b14
SHA512

0074593384cafe4759d17f0609672055bf9250ab934f865bdcb1f314480d5b496c805077b2a4827722aa702c7e9064ae2d4093ad015abb8206a26cdf6af609f2
SSDEEP

196608:XSvUddiGELiFTAVGahnhyk8N0FFLOnoksRzYlmKEomfEDS6l4crtNXX6i4p9:KUddFo9VGafSaFFL5ch4Drp9

Score

10^/10

sectoprat credential_access discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1060-111-0x0000000000700000-0x00000000007CC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Uses browser remote debugging 2 TTPs 12 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3356	chrome.exe
3868	msedge.exe
3376	msedge.exe
2036	chrome.exe
3308	chrome.exe
1288	msedge.exe
1900	msedge.exe
3876	msedge.exe
4544	msedge.exe
2884	chrome.exe
1136	chrome.exe
316	chrome.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4716 set thread context of 4032	4716	CamMenuMaker.exe	105
PID 4032 set thread context of 1060	4032	cmd.exe	118

Executes dropped EXE 12 IoCs

pid	Process
4936	ISBEW64.exe
3208	ISBEW64.exe
884	ISBEW64.exe
4104	ISBEW64.exe
2760	ISBEW64.exe
1112	ISBEW64.exe
1600	ISBEW64.exe
1976	ISBEW64.exe
1496	ISBEW64.exe
228	ISBEW64.exe
4072	CamMenuMaker.exe
4716	CamMenuMaker.exe

Loads dropped DLL 14 IoCs

pid	Process
4164	MsiExec.exe
4164	MsiExec.exe
4164	MsiExec.exe
4164	MsiExec.exe
4164	MsiExec.exe
4072	CamMenuMaker.exe
4072	CamMenuMaker.exe
4072	CamMenuMaker.exe
4072	CamMenuMaker.exe
4072	CamMenuMaker.exe
4716	CamMenuMaker.exe
4716	CamMenuMaker.exe
4716	CamMenuMaker.exe
4716	CamMenuMaker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3456	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CamMenuMaker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CamMenuMaker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
4072	CamMenuMaker.exe
4716	CamMenuMaker.exe
4716	CamMenuMaker.exe
4032	cmd.exe
4032	cmd.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
2884	chrome.exe
2884	chrome.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe
1060	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4716	CamMenuMaker.exe
4032	cmd.exe
4032	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3456	msiexec.exe
Token: SeSecurityPrivilege	1044	msiexec.exe
Token: SeCreateTokenPrivilege	3456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3456	msiexec.exe
Token: SeLockMemoryPrivilege	3456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3456	msiexec.exe
Token: SeMachineAccountPrivilege	3456	msiexec.exe
Token: SeTcbPrivilege	3456	msiexec.exe
Token: SeSecurityPrivilege	3456	msiexec.exe
Token: SeTakeOwnershipPrivilege	3456	msiexec.exe
Token: SeLoadDriverPrivilege	3456	msiexec.exe
Token: SeSystemProfilePrivilege	3456	msiexec.exe
Token: SeSystemtimePrivilege	3456	msiexec.exe
Token: SeProfSingleProcessPrivilege	3456	msiexec.exe
Token: SeIncBasePriorityPrivilege	3456	msiexec.exe
Token: SeCreatePagefilePrivilege	3456	msiexec.exe
Token: SeCreatePermanentPrivilege	3456	msiexec.exe
Token: SeBackupPrivilege	3456	msiexec.exe
Token: SeRestorePrivilege	3456	msiexec.exe
Token: SeShutdownPrivilege	3456	msiexec.exe
Token: SeDebugPrivilege	3456	msiexec.exe
Token: SeAuditPrivilege	3456	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3456	msiexec.exe
Token: SeChangeNotifyPrivilege	3456	msiexec.exe
Token: SeRemoteShutdownPrivilege	3456	msiexec.exe
Token: SeUndockPrivilege	3456	msiexec.exe
Token: SeSyncAgentPrivilege	3456	msiexec.exe
Token: SeEnableDelegationPrivilege	3456	msiexec.exe
Token: SeManageVolumePrivilege	3456	msiexec.exe
Token: SeImpersonatePrivilege	3456	msiexec.exe
Token: SeCreateGlobalPrivilege	3456	msiexec.exe
Token: SeCreateTokenPrivilege	3456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3456	msiexec.exe
Token: SeLockMemoryPrivilege	3456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3456	msiexec.exe
Token: SeMachineAccountPrivilege	3456	msiexec.exe
Token: SeTcbPrivilege	3456	msiexec.exe
Token: SeSecurityPrivilege	3456	msiexec.exe
Token: SeTakeOwnershipPrivilege	3456	msiexec.exe
Token: SeLoadDriverPrivilege	3456	msiexec.exe
Token: SeSystemProfilePrivilege	3456	msiexec.exe
Token: SeSystemtimePrivilege	3456	msiexec.exe
Token: SeProfSingleProcessPrivilege	3456	msiexec.exe
Token: SeIncBasePriorityPrivilege	3456	msiexec.exe
Token: SeCreatePagefilePrivilege	3456	msiexec.exe
Token: SeCreatePermanentPrivilege	3456	msiexec.exe
Token: SeBackupPrivilege	3456	msiexec.exe
Token: SeRestorePrivilege	3456	msiexec.exe
Token: SeShutdownPrivilege	3456	msiexec.exe
Token: SeDebugPrivilege	3456	msiexec.exe
Token: SeAuditPrivilege	3456	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3456	msiexec.exe
Token: SeChangeNotifyPrivilege	3456	msiexec.exe
Token: SeRemoteShutdownPrivilege	3456	msiexec.exe
Token: SeUndockPrivilege	3456	msiexec.exe
Token: SeSyncAgentPrivilege	3456	msiexec.exe
Token: SeEnableDelegationPrivilege	3456	msiexec.exe
Token: SeManageVolumePrivilege	3456	msiexec.exe
Token: SeImpersonatePrivilege	3456	msiexec.exe
Token: SeCreateGlobalPrivilege	3456	msiexec.exe
Token: SeCreateTokenPrivilege	3456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3456	msiexec.exe
Token: SeLockMemoryPrivilege	3456	msiexec.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
3456	msiexec.exe
3456	msiexec.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1060	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 4164	1044	msiexec.exe	89
PID 1044 wrote to memory of 4164	1044	msiexec.exe	89
PID 1044 wrote to memory of 4164	1044	msiexec.exe	89
PID 4164 wrote to memory of 4936	4164	MsiExec.exe	93
PID 4164 wrote to memory of 4936	4164	MsiExec.exe	93
PID 4164 wrote to memory of 3208	4164	MsiExec.exe	94
PID 4164 wrote to memory of 3208	4164	MsiExec.exe	94
PID 4164 wrote to memory of 884	4164	MsiExec.exe	95
PID 4164 wrote to memory of 884	4164	MsiExec.exe	95
PID 4164 wrote to memory of 4104	4164	MsiExec.exe	96
PID 4164 wrote to memory of 4104	4164	MsiExec.exe	96
PID 4164 wrote to memory of 2760	4164	MsiExec.exe	97
PID 4164 wrote to memory of 2760	4164	MsiExec.exe	97
PID 4164 wrote to memory of 1112	4164	MsiExec.exe	98
PID 4164 wrote to memory of 1112	4164	MsiExec.exe	98
PID 4164 wrote to memory of 1600	4164	MsiExec.exe	99
PID 4164 wrote to memory of 1600	4164	MsiExec.exe	99
PID 4164 wrote to memory of 1976	4164	MsiExec.exe	100
PID 4164 wrote to memory of 1976	4164	MsiExec.exe	100
PID 4164 wrote to memory of 1496	4164	MsiExec.exe	101
PID 4164 wrote to memory of 1496	4164	MsiExec.exe	101
PID 4164 wrote to memory of 228	4164	MsiExec.exe	102
PID 4164 wrote to memory of 228	4164	MsiExec.exe	102
PID 4164 wrote to memory of 4072	4164	MsiExec.exe	103
PID 4164 wrote to memory of 4072	4164	MsiExec.exe	103
PID 4164 wrote to memory of 4072	4164	MsiExec.exe	103
PID 4072 wrote to memory of 4716	4072	CamMenuMaker.exe	104
PID 4072 wrote to memory of 4716	4072	CamMenuMaker.exe	104
PID 4072 wrote to memory of 4716	4072	CamMenuMaker.exe	104
PID 4716 wrote to memory of 4032	4716	CamMenuMaker.exe	105
PID 4716 wrote to memory of 4032	4716	CamMenuMaker.exe	105
PID 4716 wrote to memory of 4032	4716	CamMenuMaker.exe	105
PID 4716 wrote to memory of 4032	4716	CamMenuMaker.exe	105
PID 4032 wrote to memory of 1060	4032	cmd.exe	118
PID 4032 wrote to memory of 1060	4032	cmd.exe	118
PID 4032 wrote to memory of 1060	4032	cmd.exe	118
PID 4032 wrote to memory of 1060	4032	cmd.exe	118
PID 4032 wrote to memory of 1060	4032	cmd.exe	118
PID 1060 wrote to memory of 2884	1060	MSBuild.exe	126
PID 1060 wrote to memory of 2884	1060	MSBuild.exe	126
PID 2884 wrote to memory of 3748	2884	chrome.exe	127
PID 2884 wrote to memory of 3748	2884	chrome.exe	127
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 3332	2884	chrome.exe	129
PID 2884 wrote to memory of 3332	2884	chrome.exe	129
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128
PID 2884 wrote to memory of 4848	2884	chrome.exe	128

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YTOEOXNI.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3456

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D92EC68B5AA086B7E6E95FEC23FAC823 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B866D595-7BB9-4595-B505-2D52A846A97D}
    3⤵
    - Executes dropped EXE
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2B87FBF0-14C7-4578-BED8-032CE00E2F87}
    3⤵
    - Executes dropped EXE
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1DB94DDD-CD20-4BAD-888F-EA306F5C2156}
    3⤵
    - Executes dropped EXE
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0E6BD80C-46B3-42B6-8B1D-A404EE2DE87C}
    3⤵
    - Executes dropped EXE
    PID:4104
- - C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CB73E1E0-A6C6-45F8-B716-667C8AACBF39}
    3⤵
    - Executes dropped EXE
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{94E20E4F-A383-4FD6-8C39-0584DFCC74D3}
    3⤵
    - Executes dropped EXE
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E925AEAE-BE25-438E-822F-693CA4694E6B}
    3⤵
    - Executes dropped EXE
    PID:1600
- - C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8E301F1F-7215-429A-A832-9751998628A8}
    3⤵
    - Executes dropped EXE
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E1135C7-C9B4-4C8A-B52C-D39D0FDD48BB}
    3⤵
    - Executes dropped EXE
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F1A24E77-C585-4816-A6DF-6B1C83F1DA8A}
    3⤵
    - Executes dropped EXE
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\{3A5E64DC-9BB1-4D6F-AA1B-845C35C8E7DF}\CamMenuMaker.exe
    C:\Users\Admin\AppData\Local\Temp\{3A5E64DC-9BB1-4D6F-AA1B-845C35C8E7DF}\CamMenuMaker.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Users\Admin\AppData\Roaming\backupscan\CamMenuMaker.exe
      C:\Users\Admin\AppData\Roaming\backupscan\CamMenuMaker.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=7813 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ff9d847dcf8,0x7ff9d847dd04,0x7ff9d847dd10
        8⤵
        
        PID:3748
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2132,i,15979644548638874498,16956262896090694353,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2128 /prefetch:2
        8⤵
        
        PID:4848
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1996,i,15979644548638874498,16956262896090694353,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2220 /prefetch:3
        8⤵
        
        PID:3332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2416,i,15979644548638874498,16956262896090694353,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2576 /prefetch:8
        8⤵
        
        PID:4648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=7813 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,15979644548638874498,16956262896090694353,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3184 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2036
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=7813 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,15979644548638874498,16956262896090694353,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3208 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=7813 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4248,i,15979644548638874498,16956262896090694353,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4292 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:3356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=7813 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4320,i,15979644548638874498,16956262896090694353,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4352 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:316
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=7813 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4848,i,15979644548638874498,16956262896090694353,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4892 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9034 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x24c,0x250,0x254,0x248,0x260,0x7ff9d368f208,0x7ff9d368f214,0x7ff9d368f220
        8⤵
        
        PID:1848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1956,i,6437616069963730129,14066965901100860397,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:3
        8⤵
        
        PID:2984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2248,i,6437616069963730129,14066965901100860397,262144 --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:2
        8⤵
        
        PID:4728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2524,i,6437616069963730129,14066965901100860397,262144 --variations-seed-version --mojo-platform-channel-handle=2908 /prefetch:8
        8⤵
        
        PID:3800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9034 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3576,i,6437616069963730129,14066965901100860397,262144 --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9034 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3592,i,6437616069963730129,14066965901100860397,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9034 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4244,i,6437616069963730129,14066965901100860397,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9034 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4208,i,6437616069963730129,14066965901100860397,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:3868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9034 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=1828,i,6437616069963730129,14066965901100860397,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:3376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5296,i,6437616069963730129,14066965901100860397,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:8
        8⤵
        
        PID:3652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5504,i,6437616069963730129,14066965901100860397,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
        8⤵
        
        PID:540

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Modify Authentication Process

T1556

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Authentication Process

T1556

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
3460ae67841083a58564ea467981451e

SHA1
4533e2c096292a9779c9e416830a2d01ae1378b9

SHA256
1ee47adcaa5a7b84a59c907e5a32167a6ef0d53deb284c59d32ac729d35e3543

SHA512
8e24f8c257b4587d22ccd685e5c7ad5430ce8a5cc86109668c30ae4a46e0db7e5d98d12143f7e7512b3f2686cecbe3a2e4ba059a56be734f3346af64855f1392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
de16a3b42983e9c70731028655e94faa

SHA1
7f3f58f89c7b6e1e3abb3fb5fb8f0995ef2c16ca

SHA256
e6afff1a5fb79b4a64ae4f3833af3df649c229d5aca33f7080f809a7e840ee4d

SHA512
caaff7eb4ef5264a5137d71d3d56d1e3ac27c846153340d634d066fdea1b771820e3d439517a2c7b00335f9dfbba3088015cac68f23526a6e2a9e402a293368f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
049e5a246ed025dee243db0ba8e2984c

SHA1
15ec2d2b28dcfc17c1cfb5d0c13482d0706f942d

SHA256
33071ca42c472861a2fabd0f82f8b03ef0daaa6796b24b83f3df02587e4c3d12

SHA512
bc5f6fa6a8cae20ab40eae4552650d75f38ebb158c95288a79d9f332623bb507946513c39d19c00a5aee323df01f0f1a51c54594ef1c293289baf45f4ae2145b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4facd0ff10154cde70c99baa7df81001

SHA1
65267ea75bcb63edd2905e288d7b96b543708205

SHA256
a13534df0cd0a79a3a1b91085a6d575b47d5a9aad7fc6d712fd2616c0e95a23b

SHA512
ad8d2b965851c0ddc23e92ae151b3b0b2bcda850c446f4278bdb0754d6b42ead8fc034b394749578a27b33ad7e4ab0633f974dfd4773fbe4d93ae477f00b73f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
cae08f4fda05958563e692b2800f4f97

SHA1
d925c605329c14fea110fcd18721d75102d3f4ec

SHA256
e6fbebdae9dddf3100e64b3bd333f454522686b4bfefbf94edf1fedbccdfa785

SHA512
4a7096ccfbfb30e0ee53dca7b7533071f0253b02408ce9b47122fa49840bb19112fa8bb27c4e7888b3957f5104b26ddc303b41017b28929611240a39b4fa6cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc742e8e-8d86-4c2c-a946-d520a388195f\index-dir\the-real-index

Filesize
648B

MD5
d3575c80ac20dca926daf8c76046b647

SHA1
2473d668f4b404442eb2eabde960c51a35900120

SHA256
d0b00eac444e9b7eb090887aa3f7dbf43b5b7f2a65750517427ffa1e01ec4e07

SHA512
c85bf626143639eff5a39ff3af94b028453644d7743181ad11c29b34549681a0a07a304dfe2f11867acac470c3c850631644d594df93436f169e7b23510a5ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc742e8e-8d86-4c2c-a946-d520a388195f\index-dir\the-real-index~RFe58deb3.TMP

Filesize
648B

MD5
c3a2dec770b072b1844e4fbd674c0834

SHA1
0a72f7a860fc4db7e907620f140608a7c056ef21

SHA256
106a6b80289eb0293365a8d799f07d1c75a922cfb52ea12b0a166cecbc6855d9

SHA512
589203fb3ba27d13d154225ff8e332e2d5f94874ba20419eae1154bbd15285351335f28611a953cde595033d44fbbab4f6e3b00d93ab69b15a3b38aacfc4e821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
584abca2938a9ec0001c65f5aae9e48b

SHA1
3910849026e6d27f8b476e91364a7a912ae3c635

SHA256
5cb2b7460e55fed9dd9e175e068f26df6ebdc173f2e09c0cda9d5352b3acbc7b

SHA512
c1c9347aa1c4e989ee068cd845519635d0430deb99d4983d6b2f42f5a8e0d2481150eb691bf66a94a925be6414ebb320d2046d4103247be7ee6cef86970ac387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
9777837bcf9db0e6417f09f82cb9a78b

SHA1
8bbd62f9fe187d83c0bf6c471eb44d8aa220fd23

SHA256
30d40297d59e01ea675f14df4acbc73869550769fd2051a18c5b9a1b1175b894

SHA512
86a15f1ca287be590f55d01c9ea37b1a57ec7647be2c19c045ad69a0f29d5657e39e1de18d63071f43c11c5a01ecb7aa7f9297876e7656c5582cc0b1f473aecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\523a5041

Filesize
1.5MB

MD5
85517cd6a8f98cdf539aa603087eb8c5

SHA1
d25d22282cae443ead03792b7e86581e235e6d71

SHA256
bcfeb2d059fba07c02776af744ce61dab419e6cad3be5cf3e2146b7fde512d49

SHA512
174c95587681640cd093ccc1dec5f5a2eab03325f37ea2e5d76799af0bb491470388bb53416e2a903f3ec1a317851b9ba9e52f03cc3993bc063b1d44de030859

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3BF.tmp

Filesize
171KB

MD5
a0e940a3d3c1523416675125e3b0c07e

SHA1
2e29eeba6da9a4023bc8071158feee3b0277fd1b

SHA256
b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

SHA512
736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB660.tmp

Filesize
2.5MB

MD5
19977b82184bdbff3393e65aed28fea7

SHA1
6b477a76f8aee39da6f4a7b7d119515f5d48faee

SHA256
277d64dc4e90029590d74d42f9a970eb756809a7faa41727b0326229adc8e126

SHA512
86776819b08463edbb3d75e765abe83220b15bb8ca9a56acf8e9b26df24f5aa6ffe456c6b34de0aba07c4d5a2332383a49850b68512a41d833b9b802fb828cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A5E64DC-9BB1-4D6F-AA1B-845C35C8E7DF}\CamMenuMaker.exe

Filesize
1.1MB

MD5
0aa5410c7565c20aebbb56a317e578da

SHA1
1b5fd5739d66cdbb3d08b3d11b45bf49851bc4e0

SHA256
88a1f9a40eb7ece8999092b2872b6afde0fb3776e29384c5b00631bb0fca34d1

SHA512
4d45855719ac2846c5b49a69f4680200cfe0b325a476c3d6624f5bfd56212ccf9858394c0deb98fdca0ed44e8b63720eadcc67577fdbb874c07d9f15b41e4056

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A5E64DC-9BB1-4D6F-AA1B-845C35C8E7DF}\blackcap.aspx

Filesize
38KB

MD5
fddc753120fbabaf2d2f7215a2afa5fb

SHA1
841cf18d7737aff4391444f3dea407abf7dbcd1b

SHA256
18ff383227b6996a18ccbb237dc7c0e470c5ae115509befe1b0d96ad9e81304a

SHA512
1fc543ba8c046748e61bdde60a3974c7f6ea13bb5f36392b058fa4e001ce7ca29f23189fd0301823184dcb346207b0e51936b7e1ea19697a8d79961435d024f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A5E64DC-9BB1-4D6F-AA1B-845C35C8E7DF}\chairlift.rtf

Filesize
1.2MB

MD5
a2628cda3e1d11ee27fd9e63d661c101

SHA1
962faab482dfe289516656bd0ca7ebcc271280bd

SHA256
26bf7c43ccda3568d280c9150e96395a1381ce2ffa2d7f4f60a1b20d062dee62

SHA512
eadfa9db750f657baa330fe93fef12baf094ee07e7f020f3713eb39dab62567de3a02f9ff7454cc986de87f4194ca9e2866098a607fa211c606bc7be8a51e167

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A5E64DC-9BB1-4D6F-AA1B-845C35C8E7DF}\mfc100enu.dll

Filesize
53KB

MD5
2a2c442f00b45e01d4c882eea69a01bc

SHA1
85145f0f784d3a4efa569deb77b54308a1a21b92

SHA256
d71db839de0bc1fcc01a125d57ced2aaea3f444a992426c316ce18c267c33a8c

SHA512
f18d9019eee843d707aa307714a15207be2ded2eceab518599fbed8a3826a1a56f815fe75fb37f36c93be13f3d90e025f790db6b3ba413bfd5cd040b2cc7dbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A5E64DC-9BB1-4D6F-AA1B-845C35C8E7DF}\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A5E64DC-9BB1-4D6F-AA1B-845C35C8E7DF}\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISBEW64.exe

Filesize
178KB

MD5
40f3a092744e46f3531a40b917cca81e

SHA1
c73f62a44cb3a75933cecf1be73a48d0d623039b

SHA256
561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

SHA512
1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\ISRT.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EE25D105-D135-466E-A3E4-DDCA3ADF5CB4}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\background.js

Filesize
596B

MD5
aa0e77ec6b92f58452bb5577b9980e6f

SHA1
237872f2b0c90e8cbe61eaa0e2919d6578cacd3f

SHA256
aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde

SHA512
37366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\content.js

Filesize
1KB

MD5
cc33e792646451f355d3d0d731373ceb

SHA1
14dc0c230cc01e991b7f559a3bbf1c3dca41fd2b

SHA256
5c6764c438e8eabbf72c827e113fa0ef8ff585398331697315456949acdf0cb9

SHA512
1ede0fe69c984f8809d83e0de479948c0e0c4c2fc07ab6fca362b01792c08181109f19c5f140a2f4de1a85c21b1ab47fc9f2c28f258236a869048037018497dc

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\icon.png

Filesize
5KB

MD5
2c905a6e4a21a3fa14adc1d99b7cbc03

SHA1
bd8682b580d951e3df05dfd467abba6b87bb43d9

SHA256
cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb

SHA512
753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\jquery.js

Filesize
93KB

MD5
3c9137d88a00b1ae0b41ff6a70571615

SHA1
1797d73e9da4287351f6fbec1b183c19be217c2a

SHA256
24262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1

SHA512
31730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\manifest.json

Filesize
569B

MD5
2835dd0a0aef8405d47ab7f73d82eaa5

SHA1
851ea2b4f89fc06f6a4cd458840dd5c660a3b76c

SHA256
2aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3

SHA512
490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc

Download Submit
C:\Users\Admin\AppData\Roaming\backupscan\XceedZip.dll

Filesize
484KB

MD5
882e0b32bbc7babec02c0f84b4bd45e0

SHA1
13a9012191b5a59e1e3135c3953e8af63eb1b513

SHA256
2d04cc1948c4b8249e5eb71934006fe5dda4db7c856698fb8f2521a77e73f572

SHA512
99e314733e6a9eb5b5e5e973d54d4aac8f7aef119cd8f650da0690a46eaaa9c2157cdf0ddc912cbda81587b484b2b88d0b6833c8c4e4c320182d5e584062dd0a

Download Submit
C:\Users\Admin\AppData\Roaming\backupscan\mfc100u.dll

Filesize
4.2MB

MD5
06fed6d7aea38bcca796d3ad98ccfe91

SHA1
e904255245a725bac3d5a724049852fd563a2e77

SHA256
73670defa750d0a09470356279494a0c947245229d283c42e7ef0f2b8427b847

SHA512
34880cb382790aa9aecf360d26a278b8cff1bf883afa00124263072842e2a4fbc7121d9b616a8014b2292be2606a7b1afb15118e6c7d30d4a1395cec5d69c6ed

Download Submit
memory/1060-113-0x0000000004D40000-0x0000000004DB6000-memory.dmp

Filesize
472KB

Download
memory/1060-111-0x0000000000700000-0x00000000007CC000-memory.dmp

Filesize
816KB

Download
memory/1060-125-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/1060-128-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1060-129-0x0000000004F30000-0x0000000004F6C000-memory.dmp

Filesize
240KB

Download
memory/1060-118-0x00000000059D0000-0x00000000059EE000-memory.dmp

Filesize
120KB

Download
memory/1060-117-0x0000000005EA0000-0x00000000063CC000-memory.dmp

Filesize
5.2MB

Download
memory/1060-116-0x0000000005080000-0x0000000005242000-memory.dmp

Filesize
1.8MB

Download
memory/1060-115-0x0000000004E60000-0x0000000004EB0000-memory.dmp

Filesize
320KB

Download
memory/1060-114-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/1060-112-0x0000000004CA0000-0x0000000004D32000-memory.dmp

Filesize
584KB

Download
memory/1060-119-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/1060-108-0x00000000732C0000-0x0000000074514000-memory.dmp

Filesize
18.3MB

Download
memory/4032-106-0x0000000072C90000-0x0000000072E0B000-memory.dmp

Filesize
1.5MB

Download
memory/4032-104-0x00007FF9F8BD0000-0x00007FF9F8DC5000-memory.dmp

Filesize
2.0MB

Download
memory/4072-65-0x0000000072C90000-0x0000000072E0B000-memory.dmp

Filesize
1.5MB

Download
memory/4072-66-0x00007FF9F8BD0000-0x00007FF9F8DC5000-memory.dmp

Filesize
2.0MB

Download
memory/4164-41-0x0000000003520000-0x00000000036E7000-memory.dmp

Filesize
1.8MB

Download
memory/4164-34-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/4716-101-0x0000000072C90000-0x0000000072E0B000-memory.dmp

Filesize
1.5MB

Download
memory/4716-90-0x00007FF9F8BD0000-0x00007FF9F8DC5000-memory.dmp

Filesize
2.0MB

Download
memory/4716-89-0x0000000072C90000-0x0000000072E0B000-memory.dmp

Filesize
1.5MB

Download