warzonerat | 0db1623441ecf9e600d01c74b3ba5fbd9106ef366c59ffa12994adf293b60e31

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO894Y23.exe
Size

113KB
MD5

9e82efab8cc5b74afca76c45f900ca7a
SHA1

574e6fafc6853a5b5ce7eadef938e2979cc2d205
SHA256

80903661da1067955fe94001e2f88efbdb0540932c9dfe0edcb86d2780ce4246
SHA512

e0c78a0e4271ca27f52b2fdf01e455347de411ae102c9cce9bb3125c1c1abe0f68b86bbbc0a1d07e35243c631e5cac13bfcfc76e34cd359cb4b7b101f178c825
SSDEEP

1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0

Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

warzonerat

172.93.222.150:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x00080000000231d2-135.dat	warzonerat
behavioral2/files/0x00080000000231d2-136.dat	warzonerat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	images.exe

Executes dropped EXE 1 IoCs

pid	Process
4140	images.exe

Loads dropped DLL 7 IoCs

pid	Process
2668	svchost.exe
4140	images.exe
4140	images.exe
4140	images.exe
4140	images.exe
4140	images.exe
4140	images.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	PO894Y23.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	images.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	images.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	images.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Ihg.fpK = "0"	images.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	images.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	images.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	images.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\25c4705c-74a5-4485-acef-2a345aad39fb.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230630112302.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4312	powershell.exe
4312	powershell.exe
3920	powershell.exe
3920	powershell.exe
4384	msedge.exe
4384	msedge.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
4916	msedge.exe
4916	msedge.exe
640	identity_helper.exe
640	identity_helper.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	4140	images.exe
Token: SeAuditPrivilege	2668	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4140	images.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 4312	572	PO894Y23.exe	87
PID 572 wrote to memory of 4312	572	PO894Y23.exe	87
PID 572 wrote to memory of 4312	572	PO894Y23.exe	87
PID 572 wrote to memory of 4140	572	PO894Y23.exe	89
PID 572 wrote to memory of 4140	572	PO894Y23.exe	89
PID 572 wrote to memory of 4140	572	PO894Y23.exe	89
PID 4140 wrote to memory of 3920	4140	images.exe	90
PID 4140 wrote to memory of 3920	4140	images.exe	90
PID 4140 wrote to memory of 3920	4140	images.exe	90
PID 4140 wrote to memory of 32	4140	images.exe	91
PID 4140 wrote to memory of 32	4140	images.exe	91
PID 4140 wrote to memory of 32	4140	images.exe	91
PID 4140 wrote to memory of 32	4140	images.exe	91
PID 4140 wrote to memory of 32	4140	images.exe	91
PID 4140 wrote to memory of 4916	4140	images.exe	94
PID 4140 wrote to memory of 4916	4140	images.exe	94
PID 4916 wrote to memory of 4560	4916	msedge.exe	95
PID 4916 wrote to memory of 4560	4916	msedge.exe	95
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 3800	4916	msedge.exe	97
PID 4916 wrote to memory of 4384	4916	msedge.exe	98
PID 4916 wrote to memory of 4384	4916	msedge.exe	98
PID 4916 wrote to memory of 2328	4916	msedge.exe	100
PID 4916 wrote to memory of 2328	4916	msedge.exe	100
PID 4916 wrote to memory of 2328	4916	msedge.exe	100
PID 4916 wrote to memory of 2328	4916	msedge.exe	100

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe

C:\Users\Admin\AppData\Local\Temp\PO894Y23.exe
"C:\Users\Admin\AppData\Local\Temp\PO894Y23.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:32
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\.qhblrJbx.html
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaeac846f8,0x7ffaeac84708,0x7ffaeac84718
      4⤵
      PID:4560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:3800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
      4⤵
      PID:2328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
      4⤵
      PID:492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
      4⤵
      PID:4956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
      4⤵
      PID:5116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
      4⤵
      PID:2288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
      4⤵
      PID:4952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
      4⤵
      PID:3700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
      4⤵
      PID:3920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
      4⤵
      PID:1708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:2912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ff6d5e45460,0x7ff6d5e45470,0x7ff6d5e45480
        5⤵
        
        PID:2276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
      4⤵
      PID:5132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
      4⤵
      PID:5124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1520,15529380068541241678,15526400376579260731,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5028 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\ProgramData\images.exe

Filesize
113KB

MD5
9e82efab8cc5b74afca76c45f900ca7a

SHA1
574e6fafc6853a5b5ce7eadef938e2979cc2d205

SHA256
80903661da1067955fe94001e2f88efbdb0540932c9dfe0edcb86d2780ce4246

SHA512
e0c78a0e4271ca27f52b2fdf01e455347de411ae102c9cce9bb3125c1c1abe0f68b86bbbc0a1d07e35243c631e5cac13bfcfc76e34cd359cb4b7b101f178c825

Download Submit
C:\ProgramData\images.exe

Filesize
113KB

MD5
9e82efab8cc5b74afca76c45f900ca7a

SHA1
574e6fafc6853a5b5ce7eadef938e2979cc2d205

SHA256
80903661da1067955fe94001e2f88efbdb0540932c9dfe0edcb86d2780ce4246

SHA512
e0c78a0e4271ca27f52b2fdf01e455347de411ae102c9cce9bb3125c1c1abe0f68b86bbbc0a1d07e35243c631e5cac13bfcfc76e34cd359cb4b7b101f178c825

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_582DC597430784041BB93D3718D1C412

Filesize
727B

MD5
56c86dc3bd5e90b354c9826dedf33c91

SHA1
f5d2b09035a7ae6cadd477ab21484d168439ad59

SHA256
04e427edf796008dc68b14460748b73d319ffd469b3f30b7b602035c62663698

SHA512
310de885b313b82eef82a9458bcf187c6f0b54a86ef096fbfc9698bdd3c7563d695b048e463ca7b9aff40dd2e064d641b5aa37c80fc861452682e00c4f1c1caf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57

Filesize
471B

MD5
1609558e794930959dfa2e6d9282c203

SHA1
cb5527c7c0d12d5f9c3c72bc0e39f583d59808e0

SHA256
0e86775d26a95b8eef0ec9dc82710c02c222ef2112d0b449ab83f3f301feeb6a

SHA512
1e8070502cd70b05137102021a8563caf3479a010305da816198128ed5a8fa3e20fd432b4ca396a106777e52f28eea8687e7e41f6db12e85b0332355951ed504

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_582DC597430784041BB93D3718D1C412

Filesize
408B

MD5
7897c6ac6202b7a38b825660e6cfc1cf

SHA1
1d9d2578a08399cd4d08f26ebfe21772fdcad2f5

SHA256
af916130aa7f4092490ef7f15ff83a9a29acabcab7082eda5c3e227952c92d0b

SHA512
39deb9002230bf422a51b2bb099c381a8edc5b03258b8912aea688b7fbc9dc42a70c84fdc6c5c391e9c3027f59031e89c2f70ccbefb6a45551ce64ead5fa13b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57

Filesize
400B

MD5
839d92849fcbcdf195b23e58e516d7ad

SHA1
0e1e9781f4c3cdb0c8f42536c4ad0118321495ce

SHA256
f4a63cbed8671fa14d2c1e430916bc980935b79bbcf1586b87cb8c78f50cc227

SHA512
56b5eba265756de6b2dc109f3db3fde59256488ded31606c924cc6d876e76b1c014e26bddb2cf9c0e93b90e192fc0c827861c69ef034241bcd39e4073f54f21d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
610003c56a177b0384d6fb52bddd79da

SHA1
dee64128972597ba8c0ae9f4ac502c1065c670d9

SHA256
750ed9c6bf8f2155b43e1e9684ab39c383ef2bdf375ae7820a488b59f0495877

SHA512
c8394769c6ed907ba07a087ee29c62e61f1aa490cc11a431831010221cd789a8f8a8be33c8894e76dc1bbeea7c512b2ce6db76427c470c1a74c9d5bfd3ef6298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
055413454fe994a1f2a4356edeffe33b

SHA1
4d85afe3b54e1f79e8fc882fbd37dc89bccaceed

SHA256
e6e9f98b886ea24be09b9630e64d2b666d34723c5730aad53d1dc6ecb2859425

SHA512
865bc1dc6e679d5022f9308adc4908b4e75733c960fcd727dbb4e033a7d1a58b76e2dbd0a80f0fecc4d4086d12736204ef4df9e14f338a777505bd49569309e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
9a07a76a1c690ac147703960a0c5248d

SHA1
1ca2818d9d360380ceb5d340d52171c1d95b76b0

SHA256
bedaaa9134fe33362734c305a2f804a24cf444e3c27223a7b39a7799db0bcb56

SHA512
41bdf9dd4b110f796ea2b7c8f87adf4de7f612faf5904d049843ee26f40a41011f78d6e6342bd26eff31923fdf128492b3fd515bcaf99d64e98d79c7d8da7bc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
a1414dfef7bce08e698e2202442a7e30

SHA1
0d86487c27801b4566b5ed959326bc0e57912732

SHA256
57edffcfa61fdd8eb2b47b23e1377d3ce70b5a697892f9ef1597f3ed02764b4e

SHA512
954234c7b51ce6681e9d8bad862ff829fb3aa8012e3287b173d511d8ac70e3de6db31b174f06e4d8f38a5566633cfb567540c1a503a5dc281d8a053ca6099b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
b3a3e73a5ee490a0e9e81ac63f85a682

SHA1
c1d6ecfc21b8df8cb5ff9129860d27b97b0992b6

SHA256
0668a400540dd0080f1ef8f9c21181110aabb8702e70e9eb092e7146880dd137

SHA512
3f2e90a960bb7cb3124505df684c7eb7d733f7e5802c5d2b7f62ed63fe4b7f6536015a3189f7f4f2ce8b4873aeda90aaa889ca4f271b75ff72dcf876ab165fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
582d624fa7f1bf695fffc41844a38b21

SHA1
ed35d05c0f8cc670d18de1e7944403012eba2763

SHA256
ac98431b56ffce56db667afd3bb3214c9b22e2441c9bf166edd2611ad2bb34aa

SHA512
ed1a2d21f5d774de85998d0b7a1f6cb6092cc9eb34b25eff620c3bca5b64fe83ee2355b9a6372d97a69ed122d132a66cfe5c127f2f4116e023f71f569119d2d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
90e26fc968c770ef61c12c03e5abad53

SHA1
55c98bdf763e869849d150bf36ed531f39cc1787

SHA256
a56e27f65a215752f12834d95fd5bf02a95b7c0c0e2a22e8f457c2e9c1a61ab4

SHA512
7ad31d635d9309b26a23e47d476aaad6ffcb5cd045d99f34c95cf08c8698acf0348f872c041cf4d0b77cd6cb86853c6032085a4604b4d6e3ceb5db3cfeaaf733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0afe2be9d1aa75dfe65fd551fe7f8783

SHA1
f3113af78f98982519e8205786f27e17296dd718

SHA256
3a767c87ff30b21dbcb7f9e0a65ffb11dfb5b86363943dd1393b8ebf50aaecda

SHA512
9611b78c46ff189652f1889a6c0834b59bc66c2d6b136eac6b861f968a33ce0f7a32a4ba3b871a58d27825b544ec550857561ed9188f1965fedd2270506df830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7842a12848039f5aebec54c5cecb246d

SHA1
245ec4402dc59f0ea5d84a874bb721112771fc51

SHA256
6062910e4c92cdf4eb280304909972d5eefefa74215952bb1605e8989c4bd108

SHA512
d07034435689c70388a17aa360a4e927c76df8349163a34f880986a8b1b18501ded524c72ad75724e28fadf7bb87e01e74b8e512139d072b574b02e88451da40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b19b048548718e5ec507132a64ae96af

SHA1
95b7e9da11ae6d6abc367e8a37e3bcc203eeedbf

SHA256
b48eb5eb7e44576078ed25adfa3f819949a29cda229776860aca77c19107f892

SHA512
942d72f9f25550a31bcaf134f41c612f08392adc112d9d58e4187bca76f26d7e012cdd0bffadb1dce574254a6474ee604ca8dff2335d812566fc0fdb1155124d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4fd054c69665ea437b1a20e418c64443

SHA1
e8d9eee4354ebfe06180117f718441784241577e

SHA256
3019dfc3ad41088ef51f0c69004e66fd2e97176ca542fa07cad3ed9b2c00eaa5

SHA512
8b2067e825a1cbb619519a1d07ecca6aed7751f7690042108a6cc48241a734f1e0d1f027baa07d6fe27ad58c5dd7da41a0daa749edd2a0c18921cece1b08e12c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f6e61b6e-5a9b-409e-92fe-8e2be5ea9a99.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85cc25c80872cf7684fdaf994aa9a102

SHA1
f4da2ec1fc8ab609922736f2169161baab9bcada

SHA256
99ee11d6170ba5d73648cfc4c46a055a21c369eef444accd0f800fa73200cc21

SHA512
98aa10a8f5058efb03e467ad2ed28d21a74166ad4aaddab21b95bde4c9e71c28d9211d6e4278153447334b0e2c39706e036c5d8debf34ec9ea3eb010f16d1c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
80ac0e781ebfae0e7c95f800907dfa4b

SHA1
7e2d9ecd4c7b8e5e5b49301d62817fde8bb00db4

SHA256
fe82656074a769a5fecb8ae6b8606a9c017addd21052bcbffbf9be04f8fd4821

SHA512
a2d582f492edf776cec92605b75a82b923d1b3f2fb89249cf6975e2b8fb56b3ea5d1c226f360782ccae98db79b172749b3c5dbfc3331f2b083e41ad598f3c7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
d9a8c3eb2aa1b71990edec70424de2d1

SHA1
1a120a0599a851f3c2d0aaa1974f43e941c12d68

SHA256
7356cd516705cce91dfba68c20edaace5d710e758c6f368fabdd8e2484df6679

SHA512
6ba1e9d185f5a0941f8b10e7472f0d7cf14686ce8de19d14a9e13716d8ad346fcbee12d786f343720a7f95a57a4cb408a02d3c47da6a9dd374cca07ebb974e4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5a1b08b1835d5f3335280c0309068792

SHA1
d94d411bd3a42aefc7842d67231bf86cc3ef0ecf

SHA256
247bc68200168e90f7ee65f86fa5a93faa5c75d9bef6707b2ae408018b16ca39

SHA512
13a87b1274b316dc4193a55124c969a140686b1820a2086247b08d50761a3e7d0b89ff562b743c345d63ae007321cba59d41f77b39cd25dfb4adecc1e097c16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aycqnfxg.a0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\freebl3.dll

Filesize
326KB

MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozglue.dll

Filesize
133KB

MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3.dll

Filesize
1.2MB

MD5
d7858e8449004e21b01d468e9fd04b82

SHA1
9524352071ede21c167e7e4f106e9526dc23ef4e

SHA256
78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db

SHA512
1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

Download Submit
C:\Users\Admin\AppData\Local\Temp\softokn3.dll

Filesize
141KB

MD5
471c983513694ac3002590345f2be0da

SHA1
6612b9af4ff6830fa9b7d4193078434ef72f775b

SHA256
bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f

SHA512
a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Roaming\.qhblrJbx.html

Filesize
13KB

MD5
293e8fc9b24d501fd8b964cb710dabb5

SHA1
63164375dc079f6ee03b441b8576e2b04b77f3fa

SHA256
7be577ecea701e9f2c5684c191570a64806a9ff5301bd9052678e4a7b38f20b6

SHA512
663ffaeb4a11d008ad19b93e8b7dff23f02b19b0a67c13d1136eea6bd6a6b728357b1377c0fa427ae70aaf5e3769e5fedfbf76da98aa639283a2e37da2e5f21a

Download Submit
C:\Users\Admin\AppData\Roaming\.qhblrJbx.html

Filesize
13KB

MD5
293e8fc9b24d501fd8b964cb710dabb5

SHA1
63164375dc079f6ee03b441b8576e2b04b77f3fa

SHA256
7be577ecea701e9f2c5684c191570a64806a9ff5301bd9052678e4a7b38f20b6

SHA512
663ffaeb4a11d008ad19b93e8b7dff23f02b19b0a67c13d1136eea6bd6a6b728357b1377c0fa427ae70aaf5e3769e5fedfbf76da98aa639283a2e37da2e5f21a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
6425fb5c1a9cba205b557fe53b2f1613

SHA1
44f73ebea2fe3183e23c2227ea9199eec63e966d

SHA256
74a72ce29c6af3b56e34e21e05e1df03f0515bfa1ce7ab8ca0b5ac34c5c2752e

SHA512
220e39e5f67a7110ae29a21b9e1b60577a75dde2bf9d9d78f2b801e48690c1138c0c0bedbc94e673d14d3a83715580a96bc281deae99128926d1ae3dbc5bf0c5

Download Submit
\??\c:\program files\microsoft dn1\rdpwrap.ini

Filesize
177KB

MD5
6bc395161b04aa555d5a4e8eb8320020

SHA1
f18544faa4bd067f6773a373d580e111b0c8c300

SHA256
23390dfcda60f292ba1e52abb5ba2f829335351f4f9b1d33a9a6ad7a9bf5e2be

SHA512
679ac80c26422667ca5f2a6d9f0e022ef76bc9b09f97ad390b81f2e286446f0658524ccc8346a6e79d10e42131bc428f7c0ce4541d44d83af8134c499436daae

Download Submit
\??\c:\program files\microsoft dn1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/32-163-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3920-167-0x0000000007600000-0x0000000007632000-memory.dmp

Filesize
200KB

Download
memory/3920-165-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3920-166-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3920-211-0x0000000007A70000-0x0000000007A8A000-memory.dmp

Filesize
104KB

Download
memory/3920-169-0x00000000749E0000-0x0000000074A2C000-memory.dmp

Filesize
304KB

Download
memory/3920-179-0x00000000069E0000-0x00000000069FE000-memory.dmp

Filesize
120KB

Download
memory/3920-193-0x000000007F170000-0x000000007F180000-memory.dmp

Filesize
64KB

Download
memory/3920-196-0x00000000079B0000-0x0000000007A46000-memory.dmp

Filesize
600KB

Download
memory/3920-192-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4140-194-0x0000000003DB0000-0x0000000003F50000-memory.dmp

Filesize
1.6MB

Download
memory/4140-453-0x0000000003FF0000-0x0000000004074000-memory.dmp

Filesize
528KB

Download
memory/4312-139-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4312-138-0x0000000005480000-0x0000000005AA8000-memory.dmp

Filesize
6.2MB

Download
memory/4312-210-0x00000000076B0000-0x00000000076BE000-memory.dmp

Filesize
56KB

Download
memory/4312-191-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4312-190-0x0000000007470000-0x000000000748A000-memory.dmp

Filesize
104KB

Download
memory/4312-189-0x0000000007AB0000-0x000000000812A000-memory.dmp

Filesize
6.5MB

Download
memory/4312-137-0x0000000002850000-0x0000000002886000-memory.dmp

Filesize
216KB

Download
memory/4312-195-0x00000000074F0000-0x00000000074FA000-memory.dmp

Filesize
40KB

Download
memory/4312-168-0x00000000749E0000-0x0000000074A2C000-memory.dmp

Filesize
304KB

Download
memory/4312-141-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/4312-140-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4312-214-0x00000000077A0000-0x00000000077A8000-memory.dmp

Filesize
32KB

Download
memory/4312-143-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/4312-142-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/4312-153-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download