bd456a902ea03b9832f591f858829997826c356fe0746400cb381e891680ee21

Analysis

max time kernel
186s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe
Size

2.5MB
MD5

39dd164fd6cf3c0c7ffc63a654c01a8d
SHA1

ef36ccb87b338c94e67a6c7c4a5293e7222436af
SHA256

4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1
SHA512

373ff3350b876ed9691ef1c8e920eb4b18ba887de8e8028899b9d294a055148810d2d368b57ff623aedd17605ddb8295a089641ac3a0431c02e282cfbb152412
SSDEEP

49152:1TjxpDC2v28vf+yGNbnIzLNckkmTmAl6xBaUmUUshTsdfIl+nMXf5H:xPCL6fpGNDQRc6T8VRx8nMP5H

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	5Hq1WH4.exe

Executes dropped EXE 4 IoCs

pid	Process
4616	YV3li16.exe
4848	rJ6nY27.exe
3352	2vK7960.exe
5084	5Hq1WH4.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5Hq1WH4.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YV3li16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	rJ6nY27.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000400000001e7ec-19.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
5084	5Hq1WH4.exe
5084	5Hq1WH4.exe
5084	5Hq1WH4.exe
5084	5Hq1WH4.exe
5084	5Hq1WH4.exe
5084	5Hq1WH4.exe
5084	5Hq1WH4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2184	msedge.exe
2184	msedge.exe
3820	msedge.exe
3820	msedge.exe
4188	msedge.exe
4188	msedge.exe
2212	msedge.exe
2212	msedge.exe
1784	powershell.exe
1784	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3596	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3596	AUDIODG.EXE
Token: SeDebugPrivilege	5084	5Hq1WH4.exe
Token: SeDebugPrivilege	1784	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
3352	2vK7960.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5084	5Hq1WH4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4616	3104	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe	96
PID 3104 wrote to memory of 4616	3104	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe	96
PID 3104 wrote to memory of 4616	3104	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe	96
PID 4616 wrote to memory of 4848	4616	YV3li16.exe	97
PID 4616 wrote to memory of 4848	4616	YV3li16.exe	97
PID 4616 wrote to memory of 4848	4616	YV3li16.exe	97
PID 4848 wrote to memory of 3352	4848	rJ6nY27.exe	98
PID 4848 wrote to memory of 3352	4848	rJ6nY27.exe	98
PID 4848 wrote to memory of 3352	4848	rJ6nY27.exe	98
PID 3352 wrote to memory of 732	3352	2vK7960.exe	100
PID 3352 wrote to memory of 732	3352	2vK7960.exe	100
PID 3352 wrote to memory of 2212	3352	2vK7960.exe	102
PID 3352 wrote to memory of 2212	3352	2vK7960.exe	102
PID 3352 wrote to memory of 2828	3352	2vK7960.exe	103
PID 3352 wrote to memory of 2828	3352	2vK7960.exe	103
PID 4848 wrote to memory of 5084	4848	rJ6nY27.exe	104
PID 4848 wrote to memory of 5084	4848	rJ6nY27.exe	104
PID 4848 wrote to memory of 5084	4848	rJ6nY27.exe	104
PID 2828 wrote to memory of 2864	2828	msedge.exe	105
PID 2828 wrote to memory of 2864	2828	msedge.exe	105
PID 732 wrote to memory of 4472	732	msedge.exe	106
PID 732 wrote to memory of 4472	732	msedge.exe	106
PID 2212 wrote to memory of 3936	2212	msedge.exe	107
PID 2212 wrote to memory of 3936	2212	msedge.exe	107
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112
PID 732 wrote to memory of 208	732	msedge.exe	112

C:\Users\Admin\AppData\Local\Temp\4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe
"C:\Users\Admin\AppData\Local\Temp\4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YV3li16.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YV3li16.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rJ6nY27.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rJ6nY27.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2vK7960.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2vK7960.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff9981f46f8,0x7ff9981f4708,0x7ff9981f4718
        6⤵
        
        PID:4472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16585986406443102484,14757248067492631066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16585986406443102484,14757248067492631066,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        6⤵
        
        PID:208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9981f46f8,0x7ff9981f4708,0x7ff9981f4718
        6⤵
        
        PID:3936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        6⤵
        
        PID:4564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
        6⤵
        
        PID:5044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        6⤵
        
        PID:440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        6⤵
        
        PID:4672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
        6⤵
        
        PID:2640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
        6⤵
        
        PID:5000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
        6⤵
        
        PID:4072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6044 /prefetch:8
        6⤵
        
        PID:1812
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6296 /prefetch:8
        6⤵
        
        PID:4544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
        6⤵
        
        PID:5812
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
        6⤵
        
        PID:5804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
        6⤵
        
        PID:6032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
        6⤵
        
        PID:6040
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
        6⤵
        
        PID:5220
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16470750565560751092,4448105701965044037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
        6⤵
        
        PID:5236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff9981f46f8,0x7ff9981f4708,0x7ff9981f4718
        6⤵
        
        PID:2864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,9767583267528601034,3150448334370818280,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        6⤵
        
        PID:4700
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,9767583267528601034,3150448334370818280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Hq1WH4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Hq1WH4.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8cfb97d53300d1e7e2140feb09fed356

SHA1
e1c7422ccdc5929c54f030da2d5f22528689fd34

SHA256
c3f86c6eaa392be820d7a17f963d80bd0d62ef893076dfaf6e73cc865473d629

SHA512
c22490a37f4723334316611bbfc5f2d3dcc631b16e91aa1a106fbd51efccb59abf2ed434da9dd13dbfa801bbaa52bf54469b1b2bfd304b8d755ff9a96473af6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1a6165c3ba085f9e6ef7c17491f5526b

SHA1
b138704c136e54bfb6017886e31d6627f0785fec

SHA256
d7c387d32e581f51b0d34c4cef4d644695243838ef81c33257044044f78aec25

SHA512
04f0a0ccd15703d2ca70febf1bf8c366a4472e476e244f365e1d0061a5003ce1e9e260be04541cfb7eb15d5e1c88f3a71749760aa927053246db6d7376ce3f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26abfc792fe0726addc0d5b26747eb20

SHA1
0a02b9d7448b5a313c80616768aa11b7601092ff

SHA256
215312f70f473a99159cc18916ffc5ca5a1dcbe23e824613f65d03adcce9415d

SHA512
8a17d3645d23e15d9f702b9c8e595aee5d2381edc3930f5ed9ed1218bbdb33c64efdcf2b21e182b54aef1bd3d3d862883a2cc413e5bf078392cd90c37b304346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
fcdb8bd41908d2175c806da3a9b4b15e

SHA1
1564dbb13cd1a9dd3bc80272a7dfcc70f2209224

SHA256
7f7aeb47024034e0fa92c8150b2138c334a708eb0e687c887c7ded625c1d063a

SHA512
8a1a1477d20cf08a665d977a376da25c12608e81957ea73140a9148600afaff320a1abac487e1ea5533a2fa38b58d6671553a5e7ca186893bc833b622646284a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
70e2e92317ffc094e776131838003dad

SHA1
74b682e3be0c45f615d6f8158d31d3ba855f7b0d

SHA256
66e944cefce7eb0484658ca9469d4af880a1ad293c895b0353a3c0ec3237be76

SHA512
2a9857a653e24f58f022e28a25a67e1049f2386b220fd2885003d557a293a47dc265f226016166673a94a61f3de6548a2850d1b99614904b95d6a13ce8f34d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
0cfcee674c6b5d223f45aa7d6f19d5b8

SHA1
d154601c8f73b2c7e8a21cdd4d53450b3ce601d6

SHA256
50a8a737036186c910a2195a6d3062ffafdc75041eec71a193393ac9aea897c2

SHA512
b71620ab958c95013e0eea3d9006a4fb89e0dbccfd00b971d34813ea8dcecb8e56fab9df0a0185d67e8234835278cb6f9651b19dd1f9a7e08bc0ea10059928aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4beeba4aed8f42479c6b681009008809

SHA1
639252d9196c2a02f15c429f006ee8a4b543092f

SHA256
e90757db7ed29d73cbf52c538b69021dcacde27ae13a39c97d86fe4ec9f0125c

SHA512
87257737868c40826655366137f37af4d46b27dd6c818689de4722805a2f200dbce9f60a0c554436c336a128a5b2267874a1ac7c20923d4864543ddd68586777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5aab45.TMP

Filesize
48B

MD5
73570aa7f237496964d0ef87250810af

SHA1
30d89fe3cc62242cd6f60a584d0b65708edb5942

SHA256
0348d9e60484b00209efdc26b8012ed6eb2488a47e5a39ac4bdd61c462952dea

SHA512
2895fe1661a244ce0d454157124180ba77796d0d27b817c8642d50c09e1b9dde1386c396724c8c5b48541926542513bfb1920b7c69a1de71ebcf347398c92fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
578b3ce92f33497315dee652991dca4d

SHA1
fce7173777b2302691afd92093b0eb9aa52f63e3

SHA256
b7496fa4f53b81b6933bc3da442943dfaac9059dcf3e669330a621b44a32a9e6

SHA512
25da032b0b95831189481d2a35f5f710315614c843449192978a2b11eacf480c1bae33215c70f67483eb772cf18df2fe126edebcf2076ed9519454e2bd0411fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c21129a694c19f1d9e83078f206050e4

SHA1
b449028098bbc8b839837f3890e29208e6da4a0d

SHA256
91459501522bcf03b4907d1a5752f594e601a56664fdb6ac7cf76b5cc6ea8963

SHA512
12df48ff30631812343739414d3eb01e920736c187dbf90d52f725785dc344def787bae5c06ea55f50e0490488b784de339ee8f85edc574f2e9ff609a05ef915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a6b2f.TMP

Filesize
706B

MD5
0c5e0c3ab7c5391619ec82c33f5ed6fd

SHA1
8233515095912d4101598cbdf8b0b6ae625de012

SHA256
00e1f3c8becf9aad273f94faab6abb37baeb436d129178e43d505a611c9c4bfa

SHA512
871ebce698660f4816e9a08ff253fda45d9c188ae05fd9cdaa41c0ec74f460973ad50977ef75a8ec9829d7b83c5c53622a4ce914f9c40a919249596e106b34af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dd13ab39-b73d-4ceb-b0db-c3c8c53ca285.tmp

Filesize
5KB

MD5
c37825a06d999584072a716d39127913

SHA1
fd0660b3571080174dccd1fccb661d624262ef3b

SHA256
996d9daf305b122951107e3b7c0eb4d22c83da969d8eba2127c2cc0dda208015

SHA512
fc690e8947cf156aa3323913510837aad695647e16dbe04100323d80584d455536f81df693992a4299d9eafa03032c039b5d897365fa92894eec4d834adc5cbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
5f33d8e28d12552bc341ddb7efa9566f

SHA1
2c073a3070a9a39d768d5fe62cccd77d994bf6d0

SHA256
fca575c26b41f24bdf91d10012e25d0477c1a0c6519be7f123044b1f4b030594

SHA512
ddcadaa0497962a8a1a3c3f25c26e9bdf8e22234627db9c812dcf787a467b39e780024400a3948176f8f111acd5809fc4a91ae195630ab47d6a2be63a8f845b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
5e6c2c5705de7ee93195986be3c419b8

SHA1
6a0a344ddd394a0390769cf81103305663abc4d6

SHA256
0bf9f19849e41d71c941e57633ff7aefa69f7305d41f7069cc6a144789b056a0

SHA512
29695e8a984a5645b72ed54fdebe1f851c404dde6712aa40fcc7f2b90cb3da65ced328c6f18736eb4f8e14a0a78dd70088a7eed8287a71601079dcd1d4827637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a9ef8ec8e5f44827a33b32a9573bec91

SHA1
2ce3a0134f0305ae6632d36988fec1de52ef6520

SHA256
3bd17f5d02dbcb11cea4027db8e50b48a50f55d49901ff1f6f10b53c298b5a3c

SHA512
01153174c8c5874613eb4fbaadc5ee02fa0723fc9cb41c1bef189d23b8ea867d44a11f2ad1e1444a0b8d3acd92566a5fdb89fa70b01d25b0e4970ff04b6881a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
48ec3d1b0bc2f564806df87c5e5959a1

SHA1
27869663cc6c42588354782fdd480bf7b4c24811

SHA256
2aa0e4c66274236f888c4386cf86cc714583f0441faaff4f3af7cb29da84b988

SHA512
3cab9fadcb0689c316e5b8c28196aa03dd42068058125070fad082721d22d22abbca127323f659ce53ebb361a873f3a99d87ebcfcc79cbad6fd6425e403a21c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YV3li16.exe

Filesize
2.4MB

MD5
edf1ce56430b8fc1cad93f80b53a8c3e

SHA1
b6fb89e6a9a78aa921609076fb41cf3190c567fc

SHA256
cdb9ee2072aff169c26995375a9f05fc0e05fe671f65bc599d594f868ddbdd7c

SHA512
e989982524e48b90cdb79a2c51cb88d859013074def9db04b8477bebd2904c27b622b44f2df0a1567c44b351cee842d70c64eb9a2f40d00382874de66c43893b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rJ6nY27.exe

Filesize
1.9MB

MD5
4a69cf84e9f0e393c56dab448e8364b2

SHA1
a36249e50897e21035ab7d95154e3e3df47cdf44

SHA256
52ba7cdafefe9941d2a425cc86877c2268ced04bde14031ceb495de191d2e5d6

SHA512
a43e91a3ce4a8eec3590e287747e4f63e5ef7d27c3676d0c92849627f24699d91e84f6728aa79e8ad6c4fc3bc789d722d818f49ac09e602c8832fa77942e95e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2vK7960.exe

Filesize
894KB

MD5
779db1fcaa2b01c67fa62fdcf541137c

SHA1
85aa8928790bc40c8dcfac0585e87526d285905b

SHA256
0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42

SHA512
b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Hq1WH4.exe

Filesize
1.5MB

MD5
7867453669bef0bee3bd9a5fb9180a13

SHA1
f2ce30d2c67ca80efc1d16a4a903a075892d169f

SHA256
79619aaae68cb35367c8145b4a5f98b6d8fadf3e9435a6ce7c75202895ca0d44

SHA512
44449659c9bbcc89d5c29fcb6f6d5d45b1f75e695e8475b19ab4fc7a8ca48e85a74567d59bdaad44f4e354fcdf4745e72177abbd2d8ffe5b80d5d8737a7ee5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0q0v1rw.fd2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1784-492-0x0000000004EB0000-0x0000000004F16000-memory.dmp

Filesize
408KB

Download
memory/1784-491-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/1784-516-0x00000000056C0000-0x0000000005A14000-memory.dmp

Filesize
3.3MB

Download
memory/1784-490-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/1784-460-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/1784-470-0x0000000004F90000-0x00000000055B8000-memory.dmp

Filesize
6.2MB

Download
memory/1784-458-0x00000000023B0000-0x00000000023E6000-memory.dmp

Filesize
216KB

Download
memory/1784-459-0x0000000073E70000-0x0000000074620000-memory.dmp

Filesize
7.7MB

Download
memory/5084-87-0x0000000000120000-0x000000000057E000-memory.dmp

Filesize
4.4MB

Download
memory/5084-28-0x0000000000120000-0x000000000057E000-memory.dmp

Filesize
4.4MB

Download
memory/5084-32-0x0000000000120000-0x000000000057E000-memory.dmp

Filesize
4.4MB

Download
memory/5084-429-0x0000000000120000-0x000000000057E000-memory.dmp

Filesize
4.4MB

Download
memory/5084-357-0x0000000008770000-0x00000000087E6000-memory.dmp

Filesize
472KB

Download
memory/5084-346-0x0000000000120000-0x000000000057E000-memory.dmp

Filesize
4.4MB

Download
memory/5084-136-0x0000000000120000-0x000000000057E000-memory.dmp

Filesize
4.4MB

Download
memory/5084-135-0x0000000000120000-0x000000000057E000-memory.dmp

Filesize
4.4MB

Download
memory/5084-501-0x0000000000120000-0x000000000057E000-memory.dmp

Filesize
4.4MB

Download
memory/5084-192-0x0000000000120000-0x000000000057E000-memory.dmp

Filesize
4.4MB

Download
memory/5084-173-0x0000000000120000-0x000000000057E000-memory.dmp

Filesize
4.4MB

Download