f7dfaa9e79da582285f964c17f202631b50c186b56fbe2c417d1cb042b2ba655

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
Size

4.3MB
MD5

071f8bfffa76377293c3846706a9eee9
SHA1

fb8a1393c2c7c9e3adb21930e10633605c028a2d
SHA256

1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2
SHA512

84d21135d1410597037321ce8434a27dee3878e4b3992ca2ae3837c0b1715f021aec3e5a42a00e2ae019b917c631b87bcd08844b672e3669f0c0c55b71789b4f
SSDEEP

98304:tIOMcwQObrql/9CpTxJJphqC3vKfOlk36VncyH7kuK2OFVa:tIUfObrQ/kX8euKk36VnH62

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

2Xd7831.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	2Xd7831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2Xd7831.exe

Drops startup file 1 IoCs

Processes:

2Xd7831.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 2Xd7831.exe
Executes dropped EXE 5 IoCs

Processes:

Jo6pN03.exeHX6eg45.exeAq8fa68.exe1aF72hB0.exe2Xd7831.exe

pid process

1868 Jo6pN03.exe
1524 HX6eg45.exe
3712 Aq8fa68.exe
5080 1aF72hB0.exe
5016 2Xd7831.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2Xd7831.exe

pid	process
1868	Jo6pN03.exe
1524	HX6eg45.exe
3712	Aq8fa68.exe
5080	1aF72hB0.exe
5016	2Xd7831.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2Xd7831.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2Xd7831.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HX6eg45.exeAq8fa68.exe2Xd7831.exe1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exeJo6pN03.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	HX6eg45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Aq8fa68.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2Xd7831.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jo6pN03.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

2Xd7831.exe

pid	process
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe
5016	2Xd7831.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4396 schtasks.exe
2220 schtasks.exe

pid	process
4396	schtasks.exe
2220	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exepowershell.exeidentity_helper.exemsedge.exe

pid	process
2452	msedge.exe
2452	msedge.exe
3940	msedge.exe
3940	msedge.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
3736	identity_helper.exe
3736	identity_helper.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3940 msedge.exe
3940 msedge.exe
3940 msedge.exe
3940 msedge.exe
3940 msedge.exe
3940 msedge.exe
3940 msedge.exe
3940 msedge.exe

pid	process
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2Xd7831.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	5016	2Xd7831.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: 33	4740	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4740	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

1aF72hB0.exemsedge.exe

pid	process
5080	1aF72hB0.exe
5080	1aF72hB0.exe
5080	1aF72hB0.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

1aF72hB0.exemsedge.exe

pid	process
5080	1aF72hB0.exe
5080	1aF72hB0.exe
5080	1aF72hB0.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2Xd7831.exe

pid process

5016 2Xd7831.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exeJo6pN03.exeHX6eg45.exeAq8fa68.exe1aF72hB0.exemsedge.exe

description	pid	process	target process
PID 2668 wrote to memory of 1868	2668	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe	Jo6pN03.exe
PID 2668 wrote to memory of 1868	2668	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe	Jo6pN03.exe
PID 2668 wrote to memory of 1868	2668	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe	Jo6pN03.exe
PID 1868 wrote to memory of 1524	1868	Jo6pN03.exe	HX6eg45.exe
PID 1868 wrote to memory of 1524	1868	Jo6pN03.exe	HX6eg45.exe
PID 1868 wrote to memory of 1524	1868	Jo6pN03.exe	HX6eg45.exe
PID 1524 wrote to memory of 3712	1524	HX6eg45.exe	Aq8fa68.exe
PID 1524 wrote to memory of 3712	1524	HX6eg45.exe	Aq8fa68.exe
PID 1524 wrote to memory of 3712	1524	HX6eg45.exe	Aq8fa68.exe
PID 3712 wrote to memory of 5080	3712	Aq8fa68.exe	1aF72hB0.exe
PID 3712 wrote to memory of 5080	3712	Aq8fa68.exe	1aF72hB0.exe
PID 3712 wrote to memory of 5080	3712	Aq8fa68.exe	1aF72hB0.exe
PID 5080 wrote to memory of 3940	5080	1aF72hB0.exe	msedge.exe
PID 5080 wrote to memory of 3940	5080	1aF72hB0.exe	msedge.exe
PID 3940 wrote to memory of 3308	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 3308	3940	msedge.exe	msedge.exe
PID 3712 wrote to memory of 5016	3712	Aq8fa68.exe	2Xd7831.exe
PID 3712 wrote to memory of 5016	3712	Aq8fa68.exe	2Xd7831.exe
PID 3712 wrote to memory of 5016	3712	Aq8fa68.exe	2Xd7831.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4404	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 2452	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 2452	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 3064	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 3064	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 3064	3940	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
"C:\Users\Admin\AppData\Local\Temp\1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jo6pN03.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jo6pN03.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HX6eg45.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HX6eg45.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aq8fa68.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aq8fa68.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff99cb546f8,0x7ff99cb54708,0x7ff99cb54718
7⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
7⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
7⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
7⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
7⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
7⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
7⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5280 /prefetch:8
7⤵
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 /prefetch:8
7⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
7⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
7⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
7⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
7⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
7⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,12141268000698164746,9947395782348350122,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4004 /prefetch:2
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4012

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Xd7831.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Xd7831.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
PID:2892

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:4396

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
PID:4100

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:2220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d4 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
c6adc32fd0c66767e8891253b49ce04d

SHA1
24ed331808cb31e40fa2c00924d5f44fb8918d5c

SHA256
6e5bdb067b90bea3b06bd8c65453e229eda48a1d98e367363802412b1fc2ef19

SHA512
1962080ed1d2a8b0db2c5fd7492f62cf6106d484ea7133d9ca4cf1ecd3542b38b9923b84e9980569bae51199bc7d7b13056efbd22ad76eee21b426e3f43ee533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
22b4ec8fa54981f88d494c0fef131c3a

SHA1
ec4c268986462458774f45b251e49c20046057dc

SHA256
8aa2076086ea7ef740bc416a8d7bbee14479c5541f18b9e32c328460c0adfb39

SHA512
423ed5e88e539fed3cb5b09311d795b18aac91f00ce17959152dc3a14bf0eb2a968347109f0aacb4bc63db44efb7a9f90ad4d46867fb577ed68ba7ec1a468763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
8447ed3d691cb555e0b971f74911cb8f

SHA1
9db08bb3a6440c8f03a5c83addf67496290b01d3

SHA256
a8fbcbf38148b4337704ebc3928fc12c2f5407a010ab70bc154e4483203fb0e1

SHA512
ab742228b6d97de23fd8c76c2ee6d8764ec7e5d05d85b438c712ded7e7c959230d9700130c4a7616a33dc0015bae534a5f5ec2b2c98ac234c79958ba5e64aa44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7e612eb0b33444a43c536764a41bb850

SHA1
5a031d6766ac1f40e66ccf77760677d770c9c67d

SHA256
d0e26eabfaea2b2a6bb4a3c7e2ab91cbcfc8317081b5a66e816e36e479273d02

SHA512
4dd8540aaf34601b8c4ea62187257fe1baf3d36c1a8265c0ee6ddd8a01d6b2485c0784c3944a7ed4b2511f01e79add30da75a4646cddeb39865401c211691261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a5743ffe3e23e3854352d081caf83196

SHA1
3043826c9f79b2e83ac8b7589e7a2d2b056b56dd

SHA256
a9312f81d5f74f7e13f427decf7914005afaa443c352c9e796b48503209b01bb

SHA512
6c33ab0c46e5e917aa08a1dad14c68a3d0763cbee101b36fcaafeb6e784bd2489df35b2075c8bb6b18e82e025b1f123d5036a6c90d62fd3e7b65bcc296e8f7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9c85bfbb-1cef-444e-ba82-0d19b7fe4dcf\index-dir\the-real-index
Filesize
2KB

MD5
baf7f6e33031a68a2fc43c318d57949e

SHA1
880b6f392cf474ce2cf4e6d390b111fecd3cf4e2

SHA256
d94dc59b01ef4d5f3860570da6dc682b861e70808787493b1cf13422392efcf8

SHA512
aa764c327df5b454e55a54bf7c3dc6d3d6f943dda65395b6bea3cc26fa515a122abb1fa15e7f2d6383bfd73d49a50282d9446f74c16dfa3f90a79beeafeffe8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9c85bfbb-1cef-444e-ba82-0d19b7fe4dcf\index-dir\the-real-index~RFe57bbbe.TMP
Filesize
48B

MD5
cedac63214d97d9a648e59cb326b30b2

SHA1
e0e24286f6f1f0152b1b4976631ff93a59cbef23

SHA256
c6d553f8e29a61ad893d74532865eb1ac978325a4ebd6051e7eefc8a75c47849

SHA512
d357872fe6ab0b244911da5f30c6b53220a4768cdddc5661020881dc73ad297343117138be625cb947c78bb52ae91b16bb63351bd3ec1edc58989dbfbc0f16dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
fc14fbeee3ad834a1ee67ee1b8aa4e0a

SHA1
533d91a77d101751a718fcb98d318e3e1b9a9e9d

SHA256
d7591e388b04640faa839ef1ad2d6917b63ef07f99f9339d512f418744704d2c

SHA512
0514a8dee887f9da537d66e6b745d411f315aabe8d9b5a521edfc4e065b239ff6b05f0a8bece9a70adb0c0bc1507550efa07b92b18eb8050d736e6330a5e0868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
186c9bfbbdd9f3a03c15cec6c4af531b

SHA1
366019f29ecb039bd5891835fbedb670d080cea6

SHA256
dc78e52cb0908e62ce89eaa64c03a4dbc14f60f4eaebff0e8e908dcea76c5e56

SHA512
397bdcc3789b7caa967ae1220042c52eb61c6db9f01147a538893b7ad516de62e361a45846327408f03ec3bfac57421ce6903a8952dc18479a68fdcc12ee7d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
84B

MD5
947803f36ecb60eef40b84b10f3b43ab

SHA1
9e580dd9f361c5140218227c155dd75fe00343b4

SHA256
176ab5ec145cf3cc3170637fbbc376f050921a89afc3124180dbfeaaf979d808

SHA512
3aca42afdfc0451e1c920e628b3ddc0b617bc96d7d4bd496a9310beec586d32ab309e543f80ba6d2ae13cadaeb13399e485a2a4811445442e690555c2c563e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
d1aa7ba668133bf2b7971250fec3c5c1

SHA1
448a83064f03b227ac22862cdac5b851d2d3091d

SHA256
8eb90a246ad2ef8d2188beaf204b607cebc1cc165d6ff8a69a8a6b66089f74a9

SHA512
9b7b13d94840df36d47dc7c4268cc52d88058a230c7d8d9c04eabfda4818eadcfe9091cec4d8ec68c376627b9f891f34f52a996d28763f82bdb91a24cf78dacb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
a8c3c38d1383d81c22fca7169465dc0e

SHA1
a38e8415ab1b41cc36eac461102aa4b3d085a641

SHA256
e5810fb4f20adcbe74615253cee7625a2704aa2c06896cf8ed3002780a1d9ea4

SHA512
6fd69e184227b556dcb0f3e15b80e6e75e198c1f57cee2d3361321b53e4126fb84434b434657103177843b257ce95fda0442682f956052aef01efb8db31b34ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b42d.TMP
Filesize
48B

MD5
3f693468b4b4bc526b57fa0fa12c47ed

SHA1
af41bb7374b230b291bb590e3442200f2e7cd703

SHA256
1443a16692a03ba4737d669f89dd38bbb3728001b78b38fa61f42d72f2cfb52c

SHA512
87648f4ff1477c5e49c221fc104929b7c42208bec8dbf6d3e498f7f1068275ca6de68411c10fe511babb380b684304bb3d2a0b6d6f8a756c2fa977a960e34f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
7374e8944c50a43bf95e077923adaa9b

SHA1
c7e5a14b45e88ac976f88c51fe6d4fe64090c654

SHA256
e3080c1952bba747075da3f5ef6a09adf7f7b8bb704ccec9c53f3560c74dfeac

SHA512
eb3df60a754ed47ed5d16507836e90f41d661cb182f35fe3f127aa6950f6efd4bc617f81e1a2f113b70b937e98f87f925c5721bd1d5fe941532136b985add3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jo6pN03.exe
Filesize
1.9MB

MD5
fb57c34a42cbae05dc6182f97cdd115a

SHA1
635b8d4b649aad39cecc07f44b0862fe2f93783e

SHA256
12a6c73adec5dd0dbf26d8bd5c4b2cec469254d28193a3639185f58425cbefb0

SHA512
8be8bbe6bd437bfcd014aaa246b2d4dd1f4648c88d154e2dba1d21805a2b77d6b5fd341de43f1d3873ea0be8bf28400c514c239473c6d1944ea7166742a44904

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jo6pN03.exe
Filesize
2.1MB

MD5
0129889f87931a9c3bdcf0603d7af55c

SHA1
20bf313bcc3fe79ec07235d69aa74d02b9211221

SHA256
32e2014311dbd35cfe0c741f1c5c8444cd22c7229856c262e50617ebf4966a41

SHA512
1347441040250bcb01502fea8fc45b135d1ef3a65f2010e6ac7f82f87100eb03cffa4328399fc7787e83d16c7d7d6ad36f8bceefb37abcaac952cb504fc9d8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HX6eg45.exe
Filesize
2.1MB

MD5
7fb76847a4a5c3a3243092976f45fd18

SHA1
0d7bcbd6d9232e22a1141f08f3215d6bf977ed95

SHA256
97351918f4a437d15e9c5a23338b8f8a273f7c9c6089245989467eeaef6cb7b8

SHA512
f5926f1352149d874575536fbe71b25a9c03556c95816853db234d7f7f5e1cb14db16440d01444f6fe82b5c213561c33b069285d4fe7c15a45007398cc4230ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HX6eg45.exe
Filesize
1.2MB

MD5
6472c6d16c500c8326af88e6e583097b

SHA1
68edf7482d7bddb97ec0394acc4a3e8c6904fdf3

SHA256
65a60c949807c7ddedacffee219d64e6a7db11e4930530c573de7b17a0ae77aa

SHA512
133906e8e85a2460df80177a11435a34c13fba59185a8d82ae9ff9ace031047744f395230bbd94bec77c3157447f382acbaee583e0c10aa3998a40f1d037541d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aq8fa68.exe
Filesize
2.0MB

MD5
e1ca89e321f8198d4253c9178eb523ff

SHA1
fe072ee589998082c37b054c4d8e4f0a6aa4eeb7

SHA256
3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a

SHA512
af0d2629e4fce28b141f77762d351ff64c64fc965b9fd51bad073948841c6ea19655e34a7d1aed30837c67cac6e0e5f8af52e9eca07d58a77fdf3d213cd59f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aq8fa68.exe
Filesize
1.2MB

MD5
2c715cd1b0962b1fa9c9dc1e733e5bc6

SHA1
c5de0478c1b335473ea4f631eef382d139cf948f

SHA256
446a9c40ab386bd68d95c9b7aa29084c20ab9872c24607659332d91f51a48818

SHA512
8b40865feef36bfc702328ab7d73de25fd84327d5f383cca2d2c662f4afe520eb44d7f5151538a20d1a7983a1c6291dd2a0e1a073d9ae88795eedc2bfe3db249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe
Filesize
894KB

MD5
3e82adb682d9d441331dde8a3c888f6e

SHA1
6dc1fe6731402b85d721946e65559a375878a3e1

SHA256
4b87018ae58796055ba9ae76bc21519c1e51f7dcfa79344b27047efec6d9d666

SHA512
f346d6eea780ae0cf5faf8fcbb7815a0c461de710a013ac5106c9eaad31dd778765c8709550911921653a13c3e94e5d860b472a671944b51edfa840c019ccca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Xd7831.exe
Filesize
448KB

MD5
b0bdd760c9de4024d510bb95bf8731be

SHA1
96da4afa676301255f6b4e8c92bb83bbddea110c

SHA256
a1215dd5f50e9546c07aa084158a8a82e80cac6236f31a5be99aed43e02f7822

SHA512
836ef1ce2cf872c1eec999692d79f18c7f10b4d0b1aea9f30820fe83433a32ff1048dbe3cf836a7c16d94523ad17d6ed5bc580edb936fe90b629f64261184428

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Xd7831.exe
Filesize
1.5MB

MD5
fb69bac77dd5e98885e6caea73271736

SHA1
51ad255e0b6ffe879375c4cda30f8791a13e1c55

SHA256
302f18643a0476b96ae334230de72d315f753902124fbb9b97d73d73941eed7e

SHA512
3558688f41a573793d4d717316b1243d1371bb02f7f2c41a5156c60fdbc66a38ab36ce0f3c57f6fb4f4da5b546b6f18eff663d5647829432c02ce2693f856716

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1ksy3dl.yvf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_3940_AAYWBULTLRERVQQX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4820-62-0x00000000026B0000-0x00000000026E6000-memory.dmp

Filesize
216KB

Download
memory/4820-83-0x0000000005B70000-0x0000000005EC4000-memory.dmp

Filesize
3.3MB

Download
memory/4820-126-0x000000006FCC0000-0x000000006FD0C000-memory.dmp

Filesize
304KB

Download
memory/4820-148-0x0000000007300000-0x000000000731A000-memory.dmp

Filesize
104KB

Download
memory/4820-147-0x0000000007940000-0x0000000007FBA000-memory.dmp

Filesize
6.5MB

Download
memory/4820-149-0x0000000007370000-0x000000000737A000-memory.dmp

Filesize
40KB

Download
memory/4820-125-0x00000000065B0000-0x00000000065E2000-memory.dmp

Filesize
200KB

Download
memory/4820-156-0x0000000007580000-0x0000000007616000-memory.dmp

Filesize
600KB

Download
memory/4820-157-0x0000000007500000-0x0000000007511000-memory.dmp

Filesize
68KB

Download
memory/4820-233-0x0000000007530000-0x000000000753E000-memory.dmp

Filesize
56KB

Download
memory/4820-240-0x0000000007540000-0x0000000007554000-memory.dmp

Filesize
80KB

Download
memory/4820-267-0x0000000007620000-0x0000000007628000-memory.dmp

Filesize
32KB

Download
memory/4820-253-0x0000000007640000-0x000000000765A000-memory.dmp

Filesize
104KB

Download
memory/4820-136-0x0000000006FA0000-0x0000000006FBE000-memory.dmp

Filesize
120KB

Download
memory/4820-63-0x0000000005250000-0x0000000005878000-memory.dmp

Filesize
6.2MB

Download
memory/4820-87-0x00000000060A0000-0x00000000060EC000-memory.dmp

Filesize
304KB

Download
memory/4820-86-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/4820-69-0x0000000005210000-0x0000000005232000-memory.dmp

Filesize
136KB

Download
memory/4820-77-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/4820-137-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/4820-78-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/5016-401-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-373-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-44-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-425-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-379-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-380-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-390-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-400-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-444-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-313-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-55-0x0000000008F60000-0x0000000008FD6000-memory.dmp

Filesize
472KB

Download
memory/5016-426-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-427-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-428-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-431-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-432-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-31-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download
memory/5016-345-0x0000000000B20000-0x0000000000F8C000-memory.dmp

Filesize
4.4MB

Download