quasar | 164dc81c3d8ac61c788cf466d83487f5878f96915f4a18939d278e249cbdc949

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2023 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Android Tester.exe
Size

22.7MB
MD5

f39cec8c25192d89cab82d32e2645b98
SHA1

8165bc234cfd0fc6dda711d5c032d7c97bb6ee5d
SHA256

82df477a1e5e4105c96c8820385bcd3c1bd54995967d29d2e639d040db5b1574
SHA512

6f194968ceaad61f43ee5a48e433e916746fc485b6e60eb24c67e98e83ea76e8e57f52e4047007d4b58fba1fc38e447ca4dc2942e140e41e3c985538c713d524
SSDEEP

393216:yQLrjCTVOeSCIRClQ2PfWpeN15t4jpnTxk1ACCWEWI2q5VuDXTlxv9S6V6eX:ykPC0eSZwPtuTx/qU+xv93

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

nibiru3.duckdns.org:7777

Mutex

VNM_MUTEX_ubQkq789WptLUo6CNl

Attributes

encryption_key
GaGctuJ4ar1CIDW3hoKN
install_name
Winstep.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Winstep SpeedLaunch
subdirectory
Winstep SpeedLaunch

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x00060000000231ca-16.dat	disable_win_def
behavioral2/files/0x00060000000231ca-23.dat	disable_win_def
behavioral2/files/0x00060000000231ca-25.dat	disable_win_def
behavioral2/memory/3484-36-0x00000000005E0000-0x000000000066C000-memory.dmp	disable_win_def
behavioral2/files/0x00060000000231ea-192.dat	disable_win_def
behavioral2/files/0x00060000000231ea-193.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

dllhost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dllhost.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00060000000231ca-16.dat	family_quasar
behavioral2/files/0x00060000000231ca-23.dat	family_quasar
behavioral2/files/0x00060000000231ca-25.dat	family_quasar
behavioral2/memory/3484-36-0x00000000005E0000-0x000000000066C000-memory.dmp	family_quasar
behavioral2/files/0x00060000000231ea-192.dat	family_quasar
behavioral2/files/0x00060000000231ea-193.dat	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Android Tester.exedllhost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	Android Tester.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 4 IoCs

Processes:

Apktool Installet1.exedllhost.exeAndroidTester v6.4.6.exeWinstep.exe

pid	Process
852	Apktool Installet1.exe
3484	dllhost.exe
1508	AndroidTester v6.4.6.exe
3936	Winstep.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dllhost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
39	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
4456	schtasks.exe
4528	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

powershell.exepowershell.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exeidentity_helper.exepowershell.exedllhost.exemsedge.exe

pid	Process
1516	powershell.exe
1516	powershell.exe
1396	powershell.exe
1396	powershell.exe
1396	powershell.exe
2088	msedge.exe
2088	msedge.exe
624	msedge.exe
624	msedge.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
2248	identity_helper.exe
2248	identity_helper.exe
3328	powershell.exe
3328	powershell.exe
3328	powershell.exe
3484	dllhost.exe
3484	dllhost.exe
3484	dllhost.exe
3484	dllhost.exe
3484	dllhost.exe
3484	dllhost.exe
3484	dllhost.exe
3484	dllhost.exe
5548	msedge.exe
5548	msedge.exe
5548	msedge.exe
5548	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exedllhost.exepowershell.exepowershell.exepowershell.exeWinstep.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	3484	dllhost.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	3936	Winstep.exe
Token: SeDebugPrivilege	3936	Winstep.exe
Token: SeDebugPrivilege	3328	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Winstep.exe

pid	Process
3936	Winstep.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Android Tester.exeApktool Installet1.execmd.execmd.exemsedge.exe

description	pid	Process	procid_target
PID 644 wrote to memory of 852	644	Android Tester.exe	86
PID 644 wrote to memory of 852	644	Android Tester.exe	86
PID 644 wrote to memory of 852	644	Android Tester.exe	86
PID 644 wrote to memory of 2904	644	Android Tester.exe	88
PID 644 wrote to memory of 2904	644	Android Tester.exe	88
PID 644 wrote to memory of 2904	644	Android Tester.exe	88
PID 644 wrote to memory of 3484	644	Android Tester.exe	89
PID 644 wrote to memory of 3484	644	Android Tester.exe	89
PID 644 wrote to memory of 3484	644	Android Tester.exe	89
PID 852 wrote to memory of 628	852	Apktool Installet1.exe	91
PID 852 wrote to memory of 628	852	Apktool Installet1.exe	91
PID 628 wrote to memory of 1132	628	cmd.exe	92
PID 628 wrote to memory of 1132	628	cmd.exe	92
PID 628 wrote to memory of 1516	628	cmd.exe	93
PID 628 wrote to memory of 1516	628	cmd.exe	93
PID 644 wrote to memory of 1508	644	Android Tester.exe	94
PID 644 wrote to memory of 1508	644	Android Tester.exe	94
PID 644 wrote to memory of 1508	644	Android Tester.exe	94
PID 2904 wrote to memory of 624	2904	cmd.exe	95
PID 2904 wrote to memory of 624	2904	cmd.exe	95
PID 624 wrote to memory of 4696	624	msedge.exe	97
PID 624 wrote to memory of 4696	624	msedge.exe	97
PID 628 wrote to memory of 1396	628	cmd.exe	98
PID 628 wrote to memory of 1396	628	cmd.exe	98
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100
PID 624 wrote to memory of 2560	624	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\Android Tester.exe
"C:\Users\Admin\AppData\Local\Temp\Android Tester.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe
  "C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\709C.tmp\709D.tmp\709E.bat "C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      4⤵
      PID:1132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\appdata\local\temp\svchost.exe'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\appdata\roaming\winstep speedlaunch\winstep.exe'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\program files (x86)\nat host\nathost.exe'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\URL.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://allienhacker.webnode.es/?_ga=2.196494636.1688825314.1654326551-1345156272.1652202048
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc74746f8,0x7ffbc7474708,0x7ffbc7474718
      4⤵
      PID:4696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:2
      4⤵
      PID:2560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
      4⤵
      PID:2148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:2376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      PID:2036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
      4⤵
      PID:5072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
      4⤵
      PID:1632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
      4⤵
      PID:620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
      4⤵
      PID:3920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
      4⤵
      PID:2036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,12794594988229454682,15567569916070118564,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5548
- C:\Users\Admin\AppData\Local\Temp\dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Winstep SpeedLaunch" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\dllhost.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4456
- - C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe
    "C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3936
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Winstep SpeedLaunch" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hFPnmyjg8IcE.bat" "
    3⤵
    PID:4656
- C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe
  "C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe"
  2⤵
  - Executes dropped EXE
  PID:1508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
9201097e7ad03e08bafc22f620dda4c0

SHA1
2754cc755b16dc01b5db1ad1846cbdc8105d9d34

SHA256
d3649cd3c05af275154cfce2a3a34902faeefb574802215610faf51b344ad50a

SHA512
982fa5ea5a261f1ffc2b9c351677acf704415ceff410278773d5f5a3719433cbc1ac6f28fa9cca5f11f6fa0165da8be5cdf941ba9180e6f27b29fd0d4bbcf50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
876B

MD5
96a8f7d69424d3c99632677302e833b6

SHA1
6a295db164a6d22c9a94a59a40f100829827bade

SHA256
9ca63d005161b37a50532c7ce037558eb50a0e2b24d82a90552dab3f29546ea0

SHA512
2add064539a4909a8807f2d177e416524226576d15185df6303ec50b067a6cecd45e6c8d5b138bfe7f17c1d91c20a5f46f3932ff45bbf2dfe1491391c7dcc0d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ffdd3d28e60f62414d47ab1369454d89

SHA1
d8502062349de3293ffda51438b0a5f823c8c5e7

SHA256
0bfdf5cf503cec87bb0b36a03ff53ea09ce3022c9cda8404fdc8926200933b1f

SHA512
3f32d5b1fafab5c5b09be73666d09d707dc0e759d88ce0d8a3615614ddbf166d2783db75748b91556f2ffcbd4758883142333371fc5072407d44a865ceaef519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
87305fdd35b14d9e083a1692c461101c

SHA1
c3c5cd7bbdbd25429aeaaa9fdcac87230ae7a90d

SHA256
bbb6d6d11d44a658e812267c86c35716d7cea87d73e4907dc07c63cc0d531be0

SHA512
6a51b51b0ef8b30c9679ca572dabe7fac5b56224d57c9865a53f1669ffbe64a32e855e4cb7d6d3a2c33fef573fb17fb5eb5d5dddbb540b8770ed91562202ab45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6dcb90ba1ba8e06c1d4f27ec78f6911a

SHA1
71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9

SHA256
30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416

SHA512
dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
01ec8db3774e06ff0faeab2f433035ff

SHA1
5fd8c5d662e979530a2c2599afce604ef9feade0

SHA256
e41b70a8525e63946af89361ff5304c43a1a14c86ba70fb1b99cf92e9b60ba3f

SHA512
94f30cef00b9001487a8f0f032a9bc970c9ea620965c9700b4a1a36f8404e618746f8c4d1cff886d759ae282ece42b679051c751b4e711b0a0906653395f1996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
230f6351c14fa951c5fa6b966104c189

SHA1
f885f29024c73bf1167fe6de3ae91d320c85351f

SHA256
5d8fd4ee422040a82a7a1a58568e6ba6fe97ee3d4ceafa684eb73abce7a855be

SHA512
87e028ee2c94eb6c8eaabcbb5e5f3c5b1e22ec95688ac327a50d9488db3fd53bb39854e5ecb40735a4afba2fb286f0b48068950b2f4f0965246db1e38729875b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ea48a585f80caf3f18bee0e03d2dd5c1

SHA1
c5ade27aab033b29eb3887e4e1a33924f636b695

SHA256
3b16217078e7a36b775ca738ac19cc32a772a0e2ff52f6d53cb4f03a81d02218

SHA512
f48c0ab388168fc38404f1d03e07cd9033e636136f3ab3efdc2ca08b9475d0ece44894895ccc4cc754f087666791d4a334d418a44035f0a234d89eeb18629625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
35KB

MD5
f47e18888b06410a0c6c35e240ca44b5

SHA1
1bfa6dad3130beec81d2fb34457e306f35906c0a

SHA256
d49c6ef633f0f76a6826f52c08c927645d12f5f45ccaf0390e8504740a47a034

SHA512
4182274b27977eb82fd4ed36735e5d317ee7dd2bb8bfdc3f4615e99a4958ea35ca0bf98e82a33e759af4efd07c9bf9bac218724d0986d710420729b212a6112c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\4.tmp

Filesize
4KB

MD5
0d8dbe5cd39f3369265d93195e5c6449

SHA1
3332c1b711e5dca17d11538c8e6c208c870363bc

SHA256
fd17ca05fa0587fbf2d1ab722ebbf4a4b254f2ec0048e9cdae20655f7de06a39

SHA512
e3caddc18ee6f53bfe2b61b3eb14fc662e37f6f2fa05b35a4665ec37016209b1ade9a458b93193bd264eaeeddd2e0dba11d0c85b96c4cfdd71c8ea329d717467

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\5.tmp

Filesize
51KB

MD5
ab2021e67e0e08657288d880abfbaa72

SHA1
ffcf7956d5aaad47f4801b32b5fc893dc78a6dbc

SHA256
331d997e586cba40d4da0587887fc4caa4cc44e53421737dafa67e67445e6753

SHA512
e2975814169efe247b2f8954d60f331eea9340419f96255e4d0ce3c19ff9ddd3b98ec87f51d73ce3dae045142c2c40e600ad7d5dca3eeb156e038eba1a21bac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\7.tmp

Filesize
2KB

MD5
696641d2325e8b142b6c16d1183aca43

SHA1
d8e2a1f5e3280d8d5315f3e434ae13f0a36fa783

SHA256
4a56ffce0e414f3495f70e9c2960837df25423b0dbafd21a073dbdbaa461bc90

SHA512
4cbe6360e6c4bab65179d661b07d81011fba89fd51ee81a99bacbb51f65ade2dab0808ecbd63db24e20820b711df8f52e0eb35c01b52a78ca22e5740ab6f9f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\8.tmp

Filesize
2KB

MD5
bac172b887bc7d09db5e14ce26a4943e

SHA1
5e2e3d9537d8c2097135887da2cbe333c05e5218

SHA256
aaa3bee9ebd3640c05b8a70f22c9fbdb8ea0e61ca3762db5a4583e94d46a5c79

SHA512
2d741fa0d02a597a36e1712e3ef1f96f60f460bdd6f752b3eb37d1a891448a5f78917d15222258533367d67c63faac9fe4755f44770ce56ae4243a455692a69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
56e0e4d9468f55068d7c294e34237d71

SHA1
8388e1b637ec1f07f59b527636da73d938e237f3

SHA256
167194fe584088f5c98d533912df9d179d1c986c1eaa14fa28ab6d9414d299cc

SHA512
f326a1f50ed59d1a149045039ef9d64e0164bf60997e160bbef2b1b401f0ae9d4de229309c8a59e29cff0ee42dc090d3a7fa8864938c75124786fe087f7de127

Download Submit
C:\Users\Admin\AppData\Local\Temp\709C.tmp\709D.tmp\709E.bat

Filesize
1KB

MD5
bcd21aeb88d121e122e032bf667a75ec

SHA1
32269670e39bb393f918c8ef7b57ddceaf6e27b1

SHA256
cb7ed31c658bf88e133e1e1397ee0dbbd56bb7629895a9ccf6dc558c747b18a8

SHA512
2c03bbe713c0fdb4faf5df5d5d54f057ee5df13776fb56f12565c597738ae7d81e6f2dd06c2a6eae583eab40698d2c870c9a349d74f4061b0b41d5387e7bef5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe

Filesize
22.5MB

MD5
341dc6721fbc232343b78df9ec9c87b0

SHA1
41efee2cc4d040ac8b636496d652e641f0b18dac

SHA256
d791d092f6dbdb56f9986e9d4560aaecc229fbf6af829608007ea74175711f4b

SHA512
48c4aec0a45913dbd12d4e4070a475be2b4d86dfab91fcb9594affeea85cbf4a00a99fff99090ed8c76e250bddb1f2d1147623d6c450bb3aa1223d799346cdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe

Filesize
22.5MB

MD5
341dc6721fbc232343b78df9ec9c87b0

SHA1
41efee2cc4d040ac8b636496d652e641f0b18dac

SHA256
d791d092f6dbdb56f9986e9d4560aaecc229fbf6af829608007ea74175711f4b

SHA512
48c4aec0a45913dbd12d4e4070a475be2b4d86dfab91fcb9594affeea85cbf4a00a99fff99090ed8c76e250bddb1f2d1147623d6c450bb3aa1223d799346cdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe

Filesize
22.5MB

MD5
341dc6721fbc232343b78df9ec9c87b0

SHA1
41efee2cc4d040ac8b636496d652e641f0b18dac

SHA256
d791d092f6dbdb56f9986e9d4560aaecc229fbf6af829608007ea74175711f4b

SHA512
48c4aec0a45913dbd12d4e4070a475be2b4d86dfab91fcb9594affeea85cbf4a00a99fff99090ed8c76e250bddb1f2d1147623d6c450bb3aa1223d799346cdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe

Filesize
90KB

MD5
8f020103ca37c36f67a7d4ac20ad2ab8

SHA1
1d63f71056e1e8a934cc7ad3dbaed6a217f7ddac

SHA256
a49d9ea46e96ac378518dee631197a8868da81599441c32e9d33057c2bfef2a2

SHA512
0b03656871ee2f4ca76386ab119675765bc6dbf6271fd5d80a1652cae7c2302cf34241e78f41e8c67214f9f3ed125174edcdd831d06db2490d661306d228e79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe

Filesize
90KB

MD5
8f020103ca37c36f67a7d4ac20ad2ab8

SHA1
1d63f71056e1e8a934cc7ad3dbaed6a217f7ddac

SHA256
a49d9ea46e96ac378518dee631197a8868da81599441c32e9d33057c2bfef2a2

SHA512
0b03656871ee2f4ca76386ab119675765bc6dbf6271fd5d80a1652cae7c2302cf34241e78f41e8c67214f9f3ed125174edcdd831d06db2490d661306d228e79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe

Filesize
90KB

MD5
8f020103ca37c36f67a7d4ac20ad2ab8

SHA1
1d63f71056e1e8a934cc7ad3dbaed6a217f7ddac

SHA256
a49d9ea46e96ac378518dee631197a8868da81599441c32e9d33057c2bfef2a2

SHA512
0b03656871ee2f4ca76386ab119675765bc6dbf6271fd5d80a1652cae7c2302cf34241e78f41e8c67214f9f3ed125174edcdd831d06db2490d661306d228e79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\URL.bat

Filesize
109B

MD5
ae2b368ac1a2180aa6307c913aba5713

SHA1
9ed2a7fe126d48cbd53c5a3b89cd2dc86b81f921

SHA256
b5d3420d52ea0fe34905cb9269f11b964dd7c2b3a31d58620131194fcd2bf992

SHA512
839f3dff0ddf5ad0bfd8f7fa0d6a98fb7bbc0c0b0baa8b58eb6621c011ac175fb34f1a44587b4fc8a0119ca0491d44109b12ae050eb66cf4dca5a2d75a1113fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxtjvjoq.ihy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\hFPnmyjg8IcE.bat

Filesize
204B

MD5
059be0c258d2ed3bec53d5113d7d3b7e

SHA1
c3e878b37d0a5a6d497ff39ac7c9aed68871ee99

SHA256
1b5ddbc8fe565ac901492e43f152325979475be15349af8a069ba13a30602a04

SHA512
730a65e1211e6d2936237d9208df7838d4cf61bef391b3c786a45ecbb619bbf76a86e24dbff857ccdbeb30e381682d942eef13b69253eb232789ad0b26d30b59

Download Submit
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
\??\pipe\LOCAL\crashpad_624_JPZPPKYNRIFLDSHD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1152-158-0x000001BB79BD0000-0x000001BB79BE0000-memory.dmp

Filesize
64KB

Download
memory/1152-174-0x00007FFBCB910000-0x00007FFBCC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1152-164-0x000001BB79BD0000-0x000001BB79BE0000-memory.dmp

Filesize
64KB

Download
memory/1152-157-0x00007FFBCB910000-0x00007FFBCC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-85-0x00007FFBCB910000-0x00007FFBCC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-108-0x0000014F21BA0000-0x0000014F21BB0000-memory.dmp

Filesize
64KB

Download
memory/1396-112-0x00007FFBCB910000-0x00007FFBCC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-90-0x0000014F21BA0000-0x0000014F21BB0000-memory.dmp

Filesize
64KB

Download
memory/1396-86-0x0000014F21BA0000-0x0000014F21BB0000-memory.dmp

Filesize
64KB

Download
memory/1440-189-0x000001C57FA50000-0x000001C57FA60000-memory.dmp

Filesize
64KB

Download
memory/1440-176-0x00007FFBCB910000-0x00007FFBCC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1440-198-0x00007FFBCB910000-0x00007FFBCC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1508-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-34-0x000001696BAC0000-0x000001696BAD0000-memory.dmp

Filesize
64KB

Download
memory/1516-47-0x00007FFBCB7F0000-0x00007FFBCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/1516-54-0x000001696BAC0000-0x000001696BAD0000-memory.dmp

Filesize
64KB

Download
memory/1516-74-0x000001696BAC0000-0x000001696BAD0000-memory.dmp

Filesize
64KB

Download
memory/1516-83-0x00007FFBCB7F0000-0x00007FFBCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/1516-46-0x000001696C3F0000-0x000001696C412000-memory.dmp

Filesize
136KB

Download
memory/1516-35-0x000001696BAC0000-0x000001696BAD0000-memory.dmp

Filesize
64KB

Download
memory/2876-270-0x0000019D1D430000-0x0000019D1D440000-memory.dmp

Filesize
64KB

Download
memory/2876-203-0x0000019D1D430000-0x0000019D1D440000-memory.dmp

Filesize
64KB

Download
memory/2876-204-0x0000019D1D430000-0x0000019D1D440000-memory.dmp

Filesize
64KB

Download
memory/2876-202-0x00007FFBCB910000-0x00007FFBCC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/2876-216-0x00007FFBCB910000-0x00007FFBCC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-259-0x0000000005020000-0x0000000005042000-memory.dmp

Filesize
136KB

Download
memory/3328-345-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/3328-201-0x0000000002690000-0x00000000026C6000-memory.dmp

Filesize
216KB

Download
memory/3328-360-0x0000000007300000-0x000000000731A000-memory.dmp

Filesize
104KB

Download
memory/3328-359-0x00000000079D0000-0x000000000804A000-memory.dmp

Filesize
6.5MB

Download
memory/3328-236-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/3328-358-0x000000007F700000-0x000000007F710000-memory.dmp

Filesize
64KB

Download
memory/3328-200-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3328-346-0x0000000007220000-0x00000000072C3000-memory.dmp

Filesize
652KB

Download
memory/3328-199-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/3328-217-0x0000000005170000-0x0000000005798000-memory.dmp

Filesize
6.2MB

Download
memory/3328-297-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3328-261-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3328-264-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3328-333-0x0000000071E50000-0x0000000071E9C000-memory.dmp

Filesize
304KB

Download
memory/3328-285-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download
memory/3328-332-0x0000000006590000-0x00000000065C2000-memory.dmp

Filesize
200KB

Download
memory/3328-331-0x000000007F700000-0x000000007F710000-memory.dmp

Filesize
64KB

Download
memory/3328-292-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/3328-309-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3328-294-0x0000000006050000-0x000000000606E000-memory.dmp

Filesize
120KB

Download
memory/3328-295-0x0000000006080000-0x00000000060CC000-memory.dmp

Filesize
304KB

Download
memory/3484-163-0x0000000006600000-0x000000000663C000-memory.dmp

Filesize
240KB

Download
memory/3484-143-0x00000000055D0000-0x00000000055E2000-memory.dmp

Filesize
72KB

Download
memory/3484-33-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/3484-146-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/3484-36-0x00000000005E0000-0x000000000066C000-memory.dmp

Filesize
560KB

Download
memory/3484-165-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/3484-87-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/3484-52-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download
memory/3484-45-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/3484-53-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/3936-233-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/3936-232-0x0000000006730000-0x000000000673A000-memory.dmp

Filesize
40KB

Download
memory/3936-237-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3936-196-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3936-194-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/4852-145-0x00007FFBCB910000-0x00007FFBCC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4852-139-0x000001F4A8400000-0x000001F4A8410000-memory.dmp

Filesize
64KB

Download
memory/4852-129-0x00007FFBCB910000-0x00007FFBCC3D1000-memory.dmp

Filesize
10.8MB

Download