quasar | 164dc81c3d8ac61c788cf466d83487f5878f96915f4a18939d278e249cbdc949

Analysis

max time kernel
153s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Android Tester.exe
Size

22.7MB
MD5

f39cec8c25192d89cab82d32e2645b98
SHA1

8165bc234cfd0fc6dda711d5c032d7c97bb6ee5d
SHA256

82df477a1e5e4105c96c8820385bcd3c1bd54995967d29d2e639d040db5b1574
SHA512

6f194968ceaad61f43ee5a48e433e916746fc485b6e60eb24c67e98e83ea76e8e57f52e4047007d4b58fba1fc38e447ca4dc2942e140e41e3c985538c713d524
SSDEEP

393216:yQLrjCTVOeSCIRClQ2PfWpeN15t4jpnTxk1ACCWEWI2q5VuDXTlxv9S6V6eX:ykPC0eSZwPtuTx/qU+xv93

Score

10^/10

quasar venomrat office04 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

nibiru3.duckdns.org:7777

Mutex

VNM_MUTEX_ubQkq789WptLUo6CNl

Attributes

encryption_key
GaGctuJ4ar1CIDW3hoKN
install_name
Winstep.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Winstep SpeedLaunch
subdirectory
Winstep SpeedLaunch

Signatures

Contains code to disable Windows Defender 7 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dllhost.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\dllhost.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\dllhost.exe	disable_win_def
behavioral2/memory/2948-53-0x00000000002A0000-0x000000000032C000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

dllhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dllhost.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dllhost.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\dllhost.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\dllhost.exe	family_quasar
behavioral2/memory/2948-53-0x00000000002A0000-0x000000000032C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Android Tester.exeWinstep.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	Android Tester.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	Winstep.exe

Executes dropped EXE 5 IoCs

Processes:

Apktool Installet1.exedllhost.exeAndroidTester v6.4.6.exeWinstep.exeWinstep.exe

pid process

4852 Apktool Installet1.exe
2948 dllhost.exe
2160 AndroidTester v6.4.6.exe
2412 Winstep.exe
620 Winstep.exe

pid	process
4852	Apktool Installet1.exe
2948	dllhost.exe
2160	AndroidTester v6.4.6.exe
2412	Winstep.exe
620	Winstep.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dllhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dllhost.exeWinstep.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winstep SpeedLaunch = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winstep SpeedLaunch = "\"C:\\Users\\Admin\\AppData\\Roaming\\Winstep SpeedLaunch\\Winstep.exe\""	Winstep.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

67 ip-api.com
96 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4760 2412 WerFault.exe Winstep.exe
4288 2412 WerFault.exe Winstep.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1112 schtasks.exe
4484 schtasks.exe

flow	ioc
67	ip-api.com
96	ip-api.com

pid	pid_target	process	target process
4760	2412	WerFault.exe	Winstep.exe
4288	2412	WerFault.exe	Winstep.exe

pid	process
1112	schtasks.exe
4484	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2672 PING.EXE

pid	process
2672	PING.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepowershell.exeWinstep.exemsedge.exe

pid	process
2936	powershell.exe
2936	powershell.exe
936	powershell.exe
936	powershell.exe
936	powershell.exe
2952	powershell.exe
2952	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
3484	powershell.exe
3484	powershell.exe
3484	powershell.exe
4376	powershell.exe
4376	powershell.exe
4376	powershell.exe
4104	msedge.exe
4104	msedge.exe
2908	msedge.exe
2908	msedge.exe
1648	identity_helper.exe
1648	identity_helper.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
620	Winstep.exe
620	Winstep.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2908 msedge.exe
2908 msedge.exe
2908 msedge.exe
2908 msedge.exe
2908 msedge.exe
2908 msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exeWinstep.exepowershell.exeWinstep.exe

description	pid	process
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	2948	dllhost.exe
Token: SeDebugPrivilege	2412	Winstep.exe
Token: SeDebugPrivilege	2412	Winstep.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	620	Winstep.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Winstep.exe

pid process

2412 Winstep.exe

pid	process
2412	Winstep.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Android Tester.exeApktool Installet1.execmd.execmd.exemsedge.exe

description	pid	process	target process
PID 1532 wrote to memory of 4852	1532	Android Tester.exe	Apktool Installet1.exe
PID 1532 wrote to memory of 4852	1532	Android Tester.exe	Apktool Installet1.exe
PID 1532 wrote to memory of 4852	1532	Android Tester.exe	Apktool Installet1.exe
PID 1532 wrote to memory of 1628	1532	Android Tester.exe	cmd.exe
PID 1532 wrote to memory of 1628	1532	Android Tester.exe	cmd.exe
PID 1532 wrote to memory of 1628	1532	Android Tester.exe	cmd.exe
PID 1532 wrote to memory of 2948	1532	Android Tester.exe	dllhost.exe
PID 1532 wrote to memory of 2948	1532	Android Tester.exe	dllhost.exe
PID 1532 wrote to memory of 2948	1532	Android Tester.exe	dllhost.exe
PID 4852 wrote to memory of 4776	4852	Apktool Installet1.exe	cmd.exe
PID 4852 wrote to memory of 4776	4852	Apktool Installet1.exe	cmd.exe
PID 4776 wrote to memory of 1016	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 1016	4776	cmd.exe	cacls.exe
PID 4776 wrote to memory of 2936	4776	cmd.exe	powershell.exe
PID 4776 wrote to memory of 2936	4776	cmd.exe	powershell.exe
PID 1532 wrote to memory of 2160	1532	Android Tester.exe	AndroidTester v6.4.6.exe
PID 1532 wrote to memory of 2160	1532	Android Tester.exe	AndroidTester v6.4.6.exe
PID 1532 wrote to memory of 2160	1532	Android Tester.exe	AndroidTester v6.4.6.exe
PID 4776 wrote to memory of 936	4776	cmd.exe	powershell.exe
PID 4776 wrote to memory of 936	4776	cmd.exe	powershell.exe
PID 1628 wrote to memory of 2908	1628	cmd.exe	msedge.exe
PID 1628 wrote to memory of 2908	1628	cmd.exe	msedge.exe
PID 2908 wrote to memory of 4128	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 4128	2908	msedge.exe	msedge.exe
PID 4776 wrote to memory of 2952	4776	cmd.exe	powershell.exe
PID 4776 wrote to memory of 2952	4776	cmd.exe	powershell.exe
PID 4776 wrote to memory of 1152	4776	cmd.exe	powershell.exe
PID 4776 wrote to memory of 1152	4776	cmd.exe	powershell.exe
PID 4776 wrote to memory of 3484	4776	cmd.exe	powershell.exe
PID 4776 wrote to memory of 3484	4776	cmd.exe	powershell.exe
PID 4776 wrote to memory of 4376	4776	cmd.exe	powershell.exe
PID 4776 wrote to memory of 4376	4776	cmd.exe	powershell.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 2752	2908	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Android Tester.exe
"C:\Users\Admin\AppData\Local\Temp\Android Tester.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe
  "C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9981.tmp\9982.tmp\9983.bat "C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      4⤵
      PID:1016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\appdata\local\temp\svchost.exe'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\appdata\roaming\winstep speedlaunch\winstep.exe'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\program files (x86)\nat host\nathost.exe'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\URL.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://allienhacker.webnode.es/?_ga=2.196494636.1688825314.1654326551-1345156272.1652202048
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffa4aed46f8,0x7ffa4aed4708,0x7ffa4aed4718
      4⤵
      PID:4128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:2752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
      4⤵
      PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
      4⤵
      PID:4296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
      4⤵
      PID:2572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
      4⤵
      PID:1496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
      4⤵
      PID:4484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
      4⤵
      PID:4308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
      4⤵
      PID:2976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 /prefetch:8
      4⤵
      PID:2624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,14649176001951976652,12272438991275794155,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:392
- C:\Users\Admin\AppData\Local\Temp\dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Winstep SpeedLaunch" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\dllhost.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1112
- - C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe
    "C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2412
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Winstep SpeedLaunch" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EnBtZgh35kSu.bat" "
      4⤵
      PID:3364
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1244
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2672
    - - C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe
        
        "C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2236
      4⤵
      Program crash
      PID:4760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2236
      4⤵
      Program crash
      PID:4288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe
  "C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe"
  2⤵
  - Executes dropped EXE
  PID:2160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2412 -ip 2412
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf009481892dd0d1c49db97428428ede

SHA1
aee4e7e213f6332c1629a701b42335eb1a035c66

SHA256
18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4

SHA512
d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
9bf00ca55eb77c92d4f3ab9052441724

SHA1
5c7b0026579f9c3d2546a96289183c10111450c0

SHA256
cdb00171046e7fbd14e82da8242b7f544e420c6698b468a4b3609627f9fe1255

SHA512
e8363737fdef3d16812576269b3c29e9045a38b8442386a292333330d41d6b0443b5d560765dc126aed63cf0018cfd2f2531dd63069e9e1c64342a5ea6009011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
876B

MD5
99a5be8c3278c7b3dd8c2ea39576bba6

SHA1
df9bf3cbcb629d85f11f843c60ccb9081a3347e4

SHA256
df738a39fb35dc689fc1e1917173d3bc82860c66db096e6cff80f0960d9aa90c

SHA512
edcdc0cc214612250bf6171324b16a4c26161d99468ca7f146e900a72e20ac96debec4d7466a674532b68492d8b52ccd07084a1029323e21c8559d3dc4cd7c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4c831051a97d0f2a9bd3138cadb79022

SHA1
d96d9c2b135be43a5b62443baee766f50b414d9c

SHA256
80bd64370c6519cb28db914044808e34cff33c32eee4079d90bd200e8a3510e4

SHA512
b102da4ee216701114558996ba094211ffbea5da75d133a519138a71f062a495d143c6648352a7aa27e1e5fbf9925b94980154efb3d96aa9c7ebc157f9a974ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
95baacaadd1568d3b25d8727e7d1fb2c

SHA1
55ddf16362de5c6abe52cc79b0d5eed30bcc8a5c

SHA256
4412a79d48335d2316865365a1feeb2d736921c57fc505a3954fe46192a1b2dd

SHA512
03cfadfeb430b96ec4fa47e3a30ecf05e49150738dd23de50e9132f3e559ef3a7058d33e92b95bee31b97a1f33e94004c0db4cdd8af645daaeb60bf80f4d3fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
25ac77f8c7c7b76b93c8346e41b89a95

SHA1
5a8f769162bab0a75b1014fb8b94f9bb1fb7970a

SHA256
8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b

SHA512
df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
896e1c1b8c5a26887c8f11a220a6cf03

SHA1
64051facbb4dc78040c0b0142919db8a2df4d5c2

SHA256
3139d5cdda7c9220fafd3933e75bcc3ef11d7cafbe2a450a2c698126f6c010f2

SHA512
4b335cc13ed4ad2b9209b088c57204fefe9ee2a97421105eb1229018f86c3eca846752a4ecf1152ff5d511e1fe156a471b2b2e4a722a4a30811ef18a961ce5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0192674070134480dca9a60c2e5f12ba

SHA1
4eb52e01b07dee2c4a80dc03abc99cd45c8fa58a

SHA256
724a6607fb24cfb82f0a3662886b5afde51fa8b37905c3f6224b20597e88c261

SHA512
ccddd87a2982e3545efdea371760749d191c27a209961b1861c83efdca6ee3b823db768e23896cad467fdcae4fbc32e88c1a4b1e6c3c6368bde71be52739c085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9bb8858716f3e37f292e496375c475ad

SHA1
1fa202b5f8924ea0a02e62a41927befcbe531fa6

SHA256
b1bda76313d6b7f988b644751f0bb0e8bb6fb97fb6facc8795ba8dd24ac0c7e5

SHA512
43f57ea83ccd4c5d2a32f38337facea8040cbf4ca59b7bbaf9149346f7c3e3c6c76d256df98b6de65c64cd32958e5403a04357c6e0f422952c2d683729f34b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9981.tmp\9982.tmp\9983.bat

Filesize
1KB

MD5
bcd21aeb88d121e122e032bf667a75ec

SHA1
32269670e39bb393f918c8ef7b57ddceaf6e27b1

SHA256
cb7ed31c658bf88e133e1e1397ee0dbbd56bb7629895a9ccf6dc558c747b18a8

SHA512
2c03bbe713c0fdb4faf5df5d5d54f057ee5df13776fb56f12565c597738ae7d81e6f2dd06c2a6eae583eab40698d2c870c9a349d74f4061b0b41d5387e7bef5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe

Filesize
22.5MB

MD5
341dc6721fbc232343b78df9ec9c87b0

SHA1
41efee2cc4d040ac8b636496d652e641f0b18dac

SHA256
d791d092f6dbdb56f9986e9d4560aaecc229fbf6af829608007ea74175711f4b

SHA512
48c4aec0a45913dbd12d4e4070a475be2b4d86dfab91fcb9594affeea85cbf4a00a99fff99090ed8c76e250bddb1f2d1147623d6c450bb3aa1223d799346cdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe

Filesize
22.5MB

MD5
341dc6721fbc232343b78df9ec9c87b0

SHA1
41efee2cc4d040ac8b636496d652e641f0b18dac

SHA256
d791d092f6dbdb56f9986e9d4560aaecc229fbf6af829608007ea74175711f4b

SHA512
48c4aec0a45913dbd12d4e4070a475be2b4d86dfab91fcb9594affeea85cbf4a00a99fff99090ed8c76e250bddb1f2d1147623d6c450bb3aa1223d799346cdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AndroidTester v6.4.6.exe

Filesize
22.5MB

MD5
341dc6721fbc232343b78df9ec9c87b0

SHA1
41efee2cc4d040ac8b636496d652e641f0b18dac

SHA256
d791d092f6dbdb56f9986e9d4560aaecc229fbf6af829608007ea74175711f4b

SHA512
48c4aec0a45913dbd12d4e4070a475be2b4d86dfab91fcb9594affeea85cbf4a00a99fff99090ed8c76e250bddb1f2d1147623d6c450bb3aa1223d799346cdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe

Filesize
90KB

MD5
8f020103ca37c36f67a7d4ac20ad2ab8

SHA1
1d63f71056e1e8a934cc7ad3dbaed6a217f7ddac

SHA256
a49d9ea46e96ac378518dee631197a8868da81599441c32e9d33057c2bfef2a2

SHA512
0b03656871ee2f4ca76386ab119675765bc6dbf6271fd5d80a1652cae7c2302cf34241e78f41e8c67214f9f3ed125174edcdd831d06db2490d661306d228e79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe

Filesize
90KB

MD5
8f020103ca37c36f67a7d4ac20ad2ab8

SHA1
1d63f71056e1e8a934cc7ad3dbaed6a217f7ddac

SHA256
a49d9ea46e96ac378518dee631197a8868da81599441c32e9d33057c2bfef2a2

SHA512
0b03656871ee2f4ca76386ab119675765bc6dbf6271fd5d80a1652cae7c2302cf34241e78f41e8c67214f9f3ed125174edcdd831d06db2490d661306d228e79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apktool Installet1.exe

Filesize
90KB

MD5
8f020103ca37c36f67a7d4ac20ad2ab8

SHA1
1d63f71056e1e8a934cc7ad3dbaed6a217f7ddac

SHA256
a49d9ea46e96ac378518dee631197a8868da81599441c32e9d33057c2bfef2a2

SHA512
0b03656871ee2f4ca76386ab119675765bc6dbf6271fd5d80a1652cae7c2302cf34241e78f41e8c67214f9f3ed125174edcdd831d06db2490d661306d228e79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EnBtZgh35kSu.bat

Filesize
221B

MD5
4c4a55923047b41979f4de3dfd4823de

SHA1
808d197d23cc80730b3ef9103a62e05816785717

SHA256
a97638423582b6bf8edbf9d44ac59044e17cfa5229172ddb178c71be0ec6d9f2

SHA512
7ea4194343e45e64f1a29cbdd3d89543b5ead58011e9aa73b17e9c8df14dea5874cfa4c0d10cb9f2681bb80a5552a02eb0143455564c431e36b4bc134c878ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\URL.bat

Filesize
109B

MD5
ae2b368ac1a2180aa6307c913aba5713

SHA1
9ed2a7fe126d48cbd53c5a3b89cd2dc86b81f921

SHA256
b5d3420d52ea0fe34905cb9269f11b964dd7c2b3a31d58620131194fcd2bf992

SHA512
839f3dff0ddf5ad0bfd8f7fa0d6a98fb7bbc0c0b0baa8b58eb6621c011ac175fb34f1a44587b4fc8a0119ca0491d44109b12ae050eb66cf4dca5a2d75a1113fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yprarznm.40z.psm1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
C:\Users\Admin\AppData\Roaming\Winstep SpeedLaunch\Winstep.exe

Filesize
534KB

MD5
3929b52ee76c8c5480e4209cb7f70d5c

SHA1
74ff90a0f1a7561aef81da6202c7355c6b170413

SHA256
53a4d73780e05e99c62c732f3950ac68bbc86c74a90b32b9f9a54590b85be5cc

SHA512
e96374483bbf62ce32e4c75bd3e2ba39f130aa42332f80b71568c01a6a8ea756c8aca53838ac8050d28997ed1181ce7a9923028bba9687d0fcd2c1170a5d6e34

Download Submit
\??\pipe\LOCAL\crashpad_2908_GZEINMGSHLDXKSAH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/620-375-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/620-380-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/620-368-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/936-83-0x00000213ECD60000-0x00000213ECD70000-memory.dmp

Filesize
64KB

Download
memory/936-82-0x00007FFA53700000-0x00007FFA541C1000-memory.dmp

Filesize
10.8MB

Download
memory/936-93-0x00007FFA53700000-0x00007FFA541C1000-memory.dmp

Filesize
10.8MB

Download
memory/936-86-0x00000213ECD60000-0x00000213ECD70000-memory.dmp

Filesize
64KB

Download
memory/936-84-0x00000213ECD60000-0x00000213ECD70000-memory.dmp

Filesize
64KB

Download
memory/1152-124-0x00007FFA53930000-0x00007FFA543F1000-memory.dmp

Filesize
10.8MB

Download
memory/1152-129-0x00000244CABE0000-0x00000244CABF0000-memory.dmp

Filesize
64KB

Download
memory/1152-130-0x00000244CABE0000-0x00000244CABF0000-memory.dmp

Filesize
64KB

Download
memory/1152-132-0x00000244CABE0000-0x00000244CABF0000-memory.dmp

Filesize
64KB

Download
memory/1152-134-0x00007FFA53930000-0x00007FFA543F1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-317-0x0000000005350000-0x0000000005978000-memory.dmp

Filesize
6.2MB

Download
memory/2012-287-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/2012-323-0x0000000005320000-0x0000000005342000-memory.dmp

Filesize
136KB

Download
memory/2012-381-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/2012-306-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/2012-304-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/2012-302-0x0000000002880000-0x00000000028B6000-memory.dmp

Filesize
216KB

Download
memory/2012-300-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/2012-289-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/2012-328-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/2012-286-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/2012-364-0x0000000006210000-0x000000000625C000-memory.dmp

Filesize
304KB

Download
memory/2012-362-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/2012-331-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/2160-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-227-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/2412-223-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/2412-228-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2412-316-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/2412-270-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2936-37-0x000001AD57B40000-0x000001AD57B62000-memory.dmp

Filesize
136KB

Download
memory/2936-51-0x00007FFA53700000-0x00007FFA541C1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-46-0x000001AD57B80000-0x000001AD57B90000-memory.dmp

Filesize
64KB

Download
memory/2936-44-0x000001AD57B80000-0x000001AD57B90000-memory.dmp

Filesize
64KB

Download
memory/2936-43-0x00007FFA53700000-0x00007FFA541C1000-memory.dmp

Filesize
10.8MB

Download
memory/2948-205-0x00000000062C0000-0x00000000062FC000-memory.dmp

Filesize
240KB

Download
memory/2948-99-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/2948-118-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2948-79-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/2948-63-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/2948-80-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/2948-196-0x0000000005E80000-0x0000000005E92000-memory.dmp

Filesize
72KB

Download
memory/2948-53-0x00000000002A0000-0x000000000032C000-memory.dmp

Filesize
560KB

Download
memory/2948-85-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2948-110-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/2952-97-0x000001C14F270000-0x000001C14F280000-memory.dmp

Filesize
64KB

Download
memory/2952-94-0x00007FFA53880000-0x00007FFA54341000-memory.dmp

Filesize
10.8MB

Download
memory/2952-96-0x000001C14F270000-0x000001C14F280000-memory.dmp

Filesize
64KB

Download
memory/2952-117-0x00007FFA53880000-0x00007FFA54341000-memory.dmp

Filesize
10.8MB

Download
memory/3484-139-0x00007FFA53930000-0x00007FFA543F1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-142-0x000002377E3E0000-0x000002377E3F0000-memory.dmp

Filesize
64KB

Download
memory/3484-151-0x000002377E3E0000-0x000002377E3F0000-memory.dmp

Filesize
64KB

Download
memory/3484-154-0x00007FFA53930000-0x00007FFA543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4376-155-0x00007FFA53930000-0x00007FFA543F1000-memory.dmp

Filesize
10.8MB

Download
memory/4376-156-0x000001FA33220000-0x000001FA33230000-memory.dmp

Filesize
64KB

Download
memory/4376-157-0x000001FA33220000-0x000001FA33230000-memory.dmp

Filesize
64KB

Download
memory/4376-168-0x000001FA33220000-0x000001FA33230000-memory.dmp

Filesize
64KB

Download
memory/4376-171-0x00007FFA53930000-0x00007FFA543F1000-memory.dmp

Filesize
10.8MB

Download