6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36

Analysis

max time kernel
152s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
Size

1.3MB
MD5

410612cb41fe82d39059b48a43f02136
SHA1

67f7fd1fa044aaaa96e3eae0e721c7d470fa6703
SHA256

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36
SHA512

41440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e
SSDEEP

12288:yZM3GMiUdXrc0y+QjmcgrAtUwo4rwjVjRCTnZ2V/O:y9qwodjVjMTn4G

Score

10^/10

microsoft persistence phishing

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZZknjnfvcs\\Conhost.exe"	reg.exe

Executes dropped EXE 3 IoCs

Processes:

svhost.exeConhost.exesvhost.exe

pid process

2132 svhost.exe
2332 Conhost.exe
3980 svhost.exe

pid	process
2132	svhost.exe
2332	Conhost.exe
3980	svhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 2 IoCs

Processes:

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exeConhost.exe

description	pid	process	target process
PID 1000 set thread context of 2132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 2332 set thread context of 3980	2332	Conhost.exe	svhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3cfa3b74-40ed-4cfc-affc-29a8df610c3c.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221130015008.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5056 timeout.exe
2952 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

752 tasklist.exe

pid	process
5056	timeout.exe
2952	timeout.exe

pid	process
752	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exemsedge.exemsedge.exemsedge.exeConhost.exeidentity_helper.exemsedge.exe

pid	process
1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
4596	msedge.exe
4596	msedge.exe
3788	msedge.exe
3788	msedge.exe
2480	msedge.exe
2480	msedge.exe
2332	Conhost.exe
2332	Conhost.exe
2332	Conhost.exe
2332	Conhost.exe
2332	Conhost.exe
2332	Conhost.exe
2332	Conhost.exe
2332	Conhost.exe
2332	Conhost.exe
2332	Conhost.exe
4676	identity_helper.exe
4676	identity_helper.exe
2332	Conhost.exe
2332	Conhost.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exetasklist.exeConhost.exe

description	pid	process
Token: SeDebugPrivilege	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
Token: 33	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
Token: SeIncBasePriorityPrivilege	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
Token: SeDebugPrivilege	752	tasklist.exe
Token: SeDebugPrivilege	2332	Conhost.exe
Token: 33	2332	Conhost.exe
Token: SeIncBasePriorityPrivilege	2332	Conhost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

2480 msedge.exe
2480 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.execmd.exewscript.execmd.execmd.exesvhost.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1000 wrote to memory of 2856	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1000 wrote to memory of 2856	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1000 wrote to memory of 2856	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 2856 wrote to memory of 4968	2856	cmd.exe	wscript.exe
PID 2856 wrote to memory of 4968	2856	cmd.exe	wscript.exe
PID 2856 wrote to memory of 4968	2856	cmd.exe	wscript.exe
PID 1000 wrote to memory of 2132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1000 wrote to memory of 2132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1000 wrote to memory of 2132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1000 wrote to memory of 2132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1000 wrote to memory of 2132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1000 wrote to memory of 2132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1000 wrote to memory of 2132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1000 wrote to memory of 2132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 4968 wrote to memory of 4396	4968	wscript.exe	cmd.exe
PID 4968 wrote to memory of 4396	4968	wscript.exe	cmd.exe
PID 4968 wrote to memory of 4396	4968	wscript.exe	cmd.exe
PID 4396 wrote to memory of 2616	4396	cmd.exe	reg.exe
PID 4396 wrote to memory of 2616	4396	cmd.exe	reg.exe
PID 4396 wrote to memory of 2616	4396	cmd.exe	reg.exe
PID 1000 wrote to memory of 5008	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1000 wrote to memory of 5008	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1000 wrote to memory of 5008	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 5008 wrote to memory of 2952	5008	cmd.exe	timeout.exe
PID 5008 wrote to memory of 2952	5008	cmd.exe	timeout.exe
PID 5008 wrote to memory of 2952	5008	cmd.exe	timeout.exe
PID 1000 wrote to memory of 1132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1000 wrote to memory of 1132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1000 wrote to memory of 1132	1000	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 2132 wrote to memory of 3692	2132	svhost.exe	msedge.exe
PID 2132 wrote to memory of 3692	2132	svhost.exe	msedge.exe
PID 3692 wrote to memory of 3956	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3956	3692	msedge.exe	msedge.exe
PID 2132 wrote to memory of 2480	2132	svhost.exe	msedge.exe
PID 2132 wrote to memory of 2480	2132	svhost.exe	msedge.exe
PID 2480 wrote to memory of 2052	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 2052	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe
PID 2480 wrote to memory of 4380	2480	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
"C:\Users\Admin\AppData\Local\Temp\6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata2.bat"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe" /f
5⤵
- Modifies WinLogon for persistence
PID:2616

C:\Users\Admin\AppData\Local\Temp\svhost.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf5c046f8,0x7ffdf5c04708,0x7ffdf5c04718
4⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6588147564047433859,6802548104395296177,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
4⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6588147564047433859,6802548104395296177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf5c046f8,0x7ffdf5c04708,0x7ffdf5c04718
4⤵
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
4⤵
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
4⤵
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
4⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
4⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
4⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 /prefetch:8
4⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
4⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
4⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 /prefetch:8
4⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
4⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
4⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
4⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7b1cf5460,0x7ff7b1cf5470,0x7ff7b1cf5480
5⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
4⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
4⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
4⤵
PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5876 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
4⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\svhost.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\timeout.exe
timeout /t 60
3⤵
- Delays execution with timeout.exe
PID:2952

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq svhost .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\find.exe
find /i "svhost .exe"
3⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
"C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Users\Admin\AppData\Local\Temp\svhost.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
4⤵
- Executes dropped EXE
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
5⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf5c046f8,0x7ffdf5c04708,0x7ffdf5c04718
6⤵
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
5⤵
PID:696

C:\Windows\SysWOW64\timeout.exe
timeout /t 60
3⤵
- Delays execution with timeout.exe
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\melt.bat
2⤵
PID:1132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf5c046f8,0x7ffdf5c04708,0x7ffdf5c04718
1⤵
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9cc113cab81df2ff66421c3dd6bf4d31

SHA1
c1e1b1e2f007732c8c79eedac889b7312b08990e

SHA256
48438eda8d47a465f7aa67c36937ec174be450bea6b501e2fc1cc929c917e2ea

SHA512
e069f0cbd04f3fc91824df48f247e1542c6858cc3cf3dd4f16c26258beac2f7aa256bad6cdda3b2cef916afd186b269375a43013138fbc795f22c1367c799a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9cc113cab81df2ff66421c3dd6bf4d31

SHA1
c1e1b1e2f007732c8c79eedac889b7312b08990e

SHA256
48438eda8d47a465f7aa67c36937ec174be450bea6b501e2fc1cc929c917e2ea

SHA512
e069f0cbd04f3fc91824df48f247e1542c6858cc3cf3dd4f16c26258beac2f7aa256bad6cdda3b2cef916afd186b269375a43013138fbc795f22c1367c799a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
2fd8937a1a0c15c88bc8fc84a9bc74cd

SHA1
481083c9a2feb88588bd6d2638038e2def5042e6

SHA256
c81429ac73c3895c26290fe9e6251bd96dba8b89b0ee149bfc1136f6562ee6bb

SHA512
85a96dd1ed3897faa410ff3b4ecaece15f2c987b821c032542e7296e0fde4520249da536643a98355bbfcc2940acd3e33e7a03c47a00b1b512a35ae85a758975

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
Filesize
1.3MB

MD5
410612cb41fe82d39059b48a43f02136

SHA1
67f7fd1fa044aaaa96e3eae0e721c7d470fa6703

SHA256
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36

SHA512
41440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
Filesize
1.3MB

MD5
410612cb41fe82d39059b48a43f02136

SHA1
67f7fd1fa044aaaa96e3eae0e721c7d470fa6703

SHA256
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36

SHA512
41440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata.bat
Filesize
70B

MD5
17658b3d0a055fb3c516f328657b1051

SHA1
2a3fc5831f96e2cf974471c38b9e589956c151ef

SHA256
0ae91ee491e8a09058a9212ad0924153c9eed7b7ff48f9b374b0cc3d75a4e17f

SHA512
919881bd8a16a1e9c3df0bd0523196ea3f8f8363d26429be0ea334aa83cb2eb5cb73c3bf284186654642f9ba46e14b998cc472e9cfda34dd1975a0659f7d8126

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata2.bat
Filesize
270B

MD5
04d4c88cb0021bd60dcc8e1c07386d4a

SHA1
d21768e0707d5c38cb4b94ecfe4418b8d817e068

SHA256
c59ba5ded9790de55f0fa3df9eedd06adad0c2a6b38f0291a5b1c904157b065b

SHA512
42cc4fa0c8ac7aca8b8ee9bab87e95261aaf65612e0b33830efa580bc3a22ee4c1a53c061f70cf8b57676c63a23520d7a337ad8b78f14675fe648893ffe6ba80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\melt.bat
Filesize
120B

MD5
25730eb2d1ae73e5ccd756cc6b61f4d2

SHA1
7eafc9463099578927f06b40c684de6f6ad1065f

SHA256
5f31e2195f7beb7d29573a5a781610dbc5fd077dd9ad78acc886fdcd3acb024f

SHA512
9d250de84934b6f5ce2997d5f91d15b731780345fb19a710f32728a2273397b5b538e2ce9c62a03a49ddd0b3d79de234c5fa12624518c6c20cf445c17354aa0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\svhost.bat
Filesize
211B

MD5
18ea8efac3f2cfc8154015a96b3a159f

SHA1
461cb487adbc0721b8d21da7b97f790c9c6869db

SHA256
80efc38401320040db9885e0d801306b22cad5fb56fa6a70eece8beeff1c62f2

SHA512
190cc74fd824f84b94109b73e4ff39913dd983afd562bf75e0137c372230ce191c181f50e9cef28afc198aee88a70b6fd4223e8379d5ea6c4378d392ab61a351

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\svhost.bat
Filesize
211B

MD5
18ea8efac3f2cfc8154015a96b3a159f

SHA1
461cb487adbc0721b8d21da7b97f790c9c6869db

SHA256
80efc38401320040db9885e0d801306b22cad5fb56fa6a70eece8beeff1c62f2

SHA512
190cc74fd824f84b94109b73e4ff39913dd983afd562bf75e0137c372230ce191c181f50e9cef28afc198aee88a70b6fd4223e8379d5ea6c4378d392ab61a351

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
\??\pipe\LOCAL\crashpad_2480_LDIOQFNZIMQFGGUV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3692_RNBGXFPKLFYSBCKT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-178-0x0000000000000000-mapping.dmp

Download
memory/696-212-0x0000000000000000-mapping.dmp

Download
memory/716-216-0x0000000000000000-mapping.dmp

Download
memory/752-190-0x0000000000000000-mapping.dmp

Download
memory/852-184-0x0000000000000000-mapping.dmp

Download
memory/1000-150-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1000-144-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1000-132-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1116-182-0x0000000000000000-mapping.dmp

Download
memory/1132-149-0x0000000000000000-mapping.dmp

Download
memory/1568-217-0x0000000000000000-mapping.dmp

Download
memory/1636-164-0x0000000000000000-mapping.dmp

Download
memory/1976-203-0x0000000000000000-mapping.dmp

Download
memory/2052-155-0x0000000000000000-mapping.dmp

Download
memory/2132-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2132-137-0x0000000000000000-mapping.dmp

Download
memory/2332-209-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2332-194-0x0000000000000000-mapping.dmp

Download
memory/2332-200-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2480-154-0x0000000000000000-mapping.dmp

Download
memory/2616-143-0x0000000000000000-mapping.dmp

Download
memory/2856-133-0x0000000000000000-mapping.dmp

Download
memory/2952-148-0x0000000000000000-mapping.dmp

Download
memory/3004-189-0x0000000000000000-mapping.dmp

Download
memory/3120-213-0x0000000000000000-mapping.dmp

Download
memory/3156-192-0x0000000000000000-mapping.dmp

Download
memory/3200-174-0x0000000000000000-mapping.dmp

Download
memory/3444-208-0x0000000000000000-mapping.dmp

Download
memory/3476-202-0x0000000000000000-mapping.dmp

Download
memory/3692-152-0x0000000000000000-mapping.dmp

Download
memory/3788-163-0x0000000000000000-mapping.dmp

Download
memory/3956-153-0x0000000000000000-mapping.dmp

Download
memory/3980-196-0x0000000000000000-mapping.dmp

Download
memory/4092-219-0x0000000000000000-mapping.dmp

Download
memory/4164-172-0x0000000000000000-mapping.dmp

Download
memory/4212-169-0x0000000000000000-mapping.dmp

Download
memory/4380-161-0x0000000000000000-mapping.dmp

Download
memory/4396-142-0x0000000000000000-mapping.dmp

Download
memory/4460-193-0x0000000000000000-mapping.dmp

Download
memory/4596-165-0x0000000000000000-mapping.dmp

Download
memory/4660-180-0x0000000000000000-mapping.dmp

Download
memory/4664-206-0x0000000000000000-mapping.dmp

Download
memory/4676-201-0x0000000000000000-mapping.dmp

Download
memory/4808-191-0x0000000000000000-mapping.dmp

Download
memory/4968-135-0x0000000000000000-mapping.dmp

Download
memory/5004-176-0x0000000000000000-mapping.dmp

Download
memory/5008-145-0x0000000000000000-mapping.dmp

Download
memory/5056-211-0x0000000000000000-mapping.dmp

Download
memory/5060-187-0x0000000000000000-mapping.dmp

Download