f7dfaa9e79da582285f964c17f202631b50c186b56fbe2c417d1cb042b2ba655

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
Size

4.3MB
MD5

071f8bfffa76377293c3846706a9eee9
SHA1

fb8a1393c2c7c9e3adb21930e10633605c028a2d
SHA256

1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2
SHA512

84d21135d1410597037321ce8434a27dee3878e4b3992ca2ae3837c0b1715f021aec3e5a42a00e2ae019b917c631b87bcd08844b672e3669f0c0c55b71789b4f
SSDEEP

98304:tIOMcwQObrql/9CpTxJJphqC3vKfOlk36VncyH7kuK2OFVa:tIUfObrQ/kX8euKk36VnH62

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

2Xd7831.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	2Xd7831.exe

Drops startup file 1 IoCs

Processes:

2Xd7831.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 2Xd7831.exe
Executes dropped EXE 5 IoCs

Processes:

Jo6pN03.exeHX6eg45.exeAq8fa68.exe1aF72hB0.exe2Xd7831.exe

pid process

3732 Jo6pN03.exe
2928 HX6eg45.exe
2772 Aq8fa68.exe
2904 1aF72hB0.exe
4524 2Xd7831.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2Xd7831.exe

pid	process
3732	Jo6pN03.exe
2928	HX6eg45.exe
2772	Aq8fa68.exe
2904	1aF72hB0.exe
4524	2Xd7831.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2Xd7831.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2Xd7831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2Xd7831.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HX6eg45.exeAq8fa68.exe2Xd7831.exe1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exeJo6pN03.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	HX6eg45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Aq8fa68.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2Xd7831.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jo6pN03.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

2Xd7831.exe

pid	process
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe
4524	2Xd7831.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

784 schtasks.exe
3988 schtasks.exe

pid	process
784	schtasks.exe
3988	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exepowershell.exeidentity_helper.exemsedge.exe

pid	process
4812	msedge.exe
4812	msedge.exe
4656	msedge.exe
4656	msedge.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
2392	identity_helper.exe
2392	identity_helper.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

4656 msedge.exe
4656 msedge.exe
4656 msedge.exe
4656 msedge.exe
4656 msedge.exe
4656 msedge.exe
4656 msedge.exe
4656 msedge.exe

pid	process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2Xd7831.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4524	2Xd7831.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: 33	1500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1500	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

1aF72hB0.exemsedge.exe

pid	process
2904	1aF72hB0.exe
2904	1aF72hB0.exe
2904	1aF72hB0.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

1aF72hB0.exemsedge.exe

pid	process
2904	1aF72hB0.exe
2904	1aF72hB0.exe
2904	1aF72hB0.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2Xd7831.exe

pid process

4524 2Xd7831.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exeJo6pN03.exeHX6eg45.exeAq8fa68.exe1aF72hB0.exemsedge.exe

description	pid	process	target process
PID 4248 wrote to memory of 3732	4248	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe	Jo6pN03.exe
PID 4248 wrote to memory of 3732	4248	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe	Jo6pN03.exe
PID 4248 wrote to memory of 3732	4248	1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe	Jo6pN03.exe
PID 3732 wrote to memory of 2928	3732	Jo6pN03.exe	HX6eg45.exe
PID 3732 wrote to memory of 2928	3732	Jo6pN03.exe	HX6eg45.exe
PID 3732 wrote to memory of 2928	3732	Jo6pN03.exe	HX6eg45.exe
PID 2928 wrote to memory of 2772	2928	HX6eg45.exe	Aq8fa68.exe
PID 2928 wrote to memory of 2772	2928	HX6eg45.exe	Aq8fa68.exe
PID 2928 wrote to memory of 2772	2928	HX6eg45.exe	Aq8fa68.exe
PID 2772 wrote to memory of 2904	2772	Aq8fa68.exe	1aF72hB0.exe
PID 2772 wrote to memory of 2904	2772	Aq8fa68.exe	1aF72hB0.exe
PID 2772 wrote to memory of 2904	2772	Aq8fa68.exe	1aF72hB0.exe
PID 2904 wrote to memory of 4656	2904	1aF72hB0.exe	msedge.exe
PID 2904 wrote to memory of 4656	2904	1aF72hB0.exe	msedge.exe
PID 4656 wrote to memory of 392	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 392	4656	msedge.exe	msedge.exe
PID 2772 wrote to memory of 4524	2772	Aq8fa68.exe	2Xd7831.exe
PID 2772 wrote to memory of 4524	2772	Aq8fa68.exe	2Xd7831.exe
PID 2772 wrote to memory of 4524	2772	Aq8fa68.exe	2Xd7831.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 2488	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4812	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 4812	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 3752	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 3752	4656	msedge.exe	msedge.exe
PID 4656 wrote to memory of 3752	4656	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
"C:\Users\Admin\AppData\Local\Temp\1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jo6pN03.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jo6pN03.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HX6eg45.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HX6eg45.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aq8fa68.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aq8fa68.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8b25946f8,0x7ff8b2594708,0x7ff8b2594718
7⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
7⤵
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
7⤵
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
7⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
7⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
7⤵
PID:656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1
7⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5312 /prefetch:8
7⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5440 /prefetch:8
7⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
7⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
7⤵
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
7⤵
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
7⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
7⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,2432991609431011302,12372630432377092271,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4364 /prefetch:2
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Xd7831.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Xd7831.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
PID:3296

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:784

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:3988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x314 0x4ac
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
bec84d009f631cde399054b3929423e4

SHA1
ca1c1fe9a348e5ee20ec70c58af21da23fc2c6f2

SHA256
3333389ec9a1089ebe18f9747ea4c61e4b7b3bb4a7b0f9c8453d438ed5fcc04b

SHA512
de3f86a6a83d025703a1918f8c4e7b3f653e8cf739f3d1f92f55f8038bc2443a8050c896018fd407e7ba3793d33ea52b9e3f0de40ce7d28da9bc7d2a28c82d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
013532cc3a9ec9a6e1644e26007368fe

SHA1
74bbf0e69dfe28c75267eaeb83fea119aec020d0

SHA256
1fedef00bba9ef4eaefee3d5705cf68c40f4ffc9c7a01920cbc2b8ed5b6e4c00

SHA512
d6edfe1ae90a699523881b771bb8a9b13b2d856f26aa0be54194cd42fd4d2e1364a79fe7be07d300ff672714f79dee1ce3a9a89ff1478f270ce76b8e0b04b979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
d2f875b3c03ef275fa17ca84bea5fefb

SHA1
4d59304ddd57c815b18fceb22b6bda77956d94a8

SHA256
a5f8a750ee1d4185689b4d4b2f84e53ceeb2481eade53153ad8c75bad7dc0ca5

SHA512
46a24f2d3f446fb12975a4e7c1b4699bfa422449c11a8572f0bbedd82c657ccd79a9ecafe9254438eb25bf25a343e5f933ff14dc37267450c6ed911febad91ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
50600b8a49510758d34d39935c3ef1b0

SHA1
972f84f3f03ea158e5b127f2715274f56c4e773c

SHA256
180b75f0207847332b51621f5319dd9955cf18a62729d64d84e1d86fd61cfeac

SHA512
d53a432432775df261f150cc7be60b3248e4cdf09819b5594cea1203eeb1658d4d0f4ce7d27e21f4b21344d3b2eb5974d6a70eeeffb637e4c2ec630844ef735f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
003f17beaafbf2d452cd97170734b68d

SHA1
1046dc1a58983becee4e3f32cae6ce0f5b581efa

SHA256
89ea632fb4a8d136801efc988a1d7595cb95c1e43aadde14de2cec01175d61a6

SHA512
f55c0a1ed816c222bcef46bc14b06a0d012c73eb8624d89a9ba545182eaef3e94a2bf7ec9035de2559b316cb60de9891be7d1ae9322ad18df3143d157941a5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
db0e462fc99f3a52258cda2e82205057

SHA1
5860d0d28507e4daf5045863261238832b412aef

SHA256
1b8d6c09a72f48ef994d5c64f9f537877697406e1605680ba11b4a196367078f

SHA512
9c066ba1879220e4773e41ae29468a0b2e881c086d2b2923d53f3183a806341a55eb9c118188512b27fc7af7921d14c2f757a8221d525eb2f11b0e86a611fe09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\08475ca1-4bfa-4c8c-b9af-19b39169f027\index-dir\the-real-index
Filesize
2KB

MD5
5f6b6d5d1ac66ce1b9f8fc36d41d25e3

SHA1
36892e3c7a7d3db5bdd00f39a16f8dda10b75917

SHA256
61b7601ac10fd10ce7f2bfac43e965e5af03b343ec4952ec0038914c9feceda4

SHA512
d7f30891da3c8e9a10b57dee8f4d1985d9835c404513d880012458bbeb07559386455d8b136b803fa4561aa496e548ef952370ce993462ff8cbdc24581a29647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\08475ca1-4bfa-4c8c-b9af-19b39169f027\index-dir\the-real-index~RFe57a2c8.TMP
Filesize
48B

MD5
e59f74819cb71506d15e0fb8792f4b06

SHA1
641342c23433ab8c1a5f2b574a6ae50c484fbc03

SHA256
b29cc85011a6ccd7714894c3aa2ae0b68ead649970de2ec75ef724a9bd0ecd64

SHA512
01259628997366c435ed86b69d13e68f85ba4c05ce4255895338a3f75d4c6d0f5ee68456069d79f048721ab768ebb6e466d90c63fe056661e99f79524c8cf64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
4e8cd9305411249ee8ff7095bfea7245

SHA1
9f25f2b098687400a5ffa85c43484ee26e0b796f

SHA256
c70db5d9e30a1e247e290c80af99591fa92911fabdc1a4f88ec01bd519ff64e2

SHA512
ef24f2119bbe548407a086e5820108d0222fde9989002f8606ec7ebc5e501da70dc32b566e0bc47432da18dcbbdc4fd44e4356167a245d995595f62171db616d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
6dffc8427840d3e85b6300f888fe820d

SHA1
9904aeadfadd27706db21cd8fbebd88103d0e93f

SHA256
e0b3866e274728d98feaf02a4955d5fdd40e4848a3123f7b2ec6b82ffd403cff

SHA512
21a3fad070aaf27c56fa339196557afb047ee647ffdb44fbab6019b71840f5397199d1e41d09322d7ea64a33ff89335a4dfe8b1124f6478d94a81cd09ebb90fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
84B

MD5
2498d630e0241a403219fdce2e8e7c67

SHA1
fd4ae3d53b3f6f60efc241ba98f82d15d172cbb6

SHA256
4e251f5b564bb48c942d5558b12365d4479df270059e1ac99b11c336bcdccd5d

SHA512
6e395d0cc709344f58d6eba8fc8a2d7374a51722edf6117f8817895fcffa029358bf2d138e1b5962a51310ef6bb79eb2dae3f1ac68bda2b53093613db208617f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
c7fd5f4f0a3610cb24e37e126e99d5aa

SHA1
7986477588804dd7b2b9455d76f76e85530b6948

SHA256
6ebf4c28a0e671761158c3df188b2148e9c1640055cc9ec31b823a64a11cc5bd

SHA512
f1d98746b0b006d2c6ab1cc40230a3414e21687be95d4765fbd3bc6cdb735538ab7166166b15090ab3f8c233d123e45c7925c91663aeb0cc956d1e4cfcf6befa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
b731579186b5f1ff699f58a68d432f40

SHA1
01c70bf7c61bdab850c87a0aa30ebcbcedec4a24

SHA256
ac827da67df2411bd07397cf49c75f7bbad93dcde4e97999a6b312dd41146381

SHA512
a8b1f1cc31df71b76ac00770e98402b9a0360536ed62fa96478c8d88a9dbaacfbe6e6cac614f3a5386a50a5818ff0bb695b930fd4607f2063d2dcdbc757d038c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579ac9.TMP
Filesize
48B

MD5
8f7bd65f5213c5f180bd9b5a9ac1c954

SHA1
acee79bb4f0838c214eff10a514518b5a696defd

SHA256
4dc8707973dd431ed70daa3e383a2a5fe7493b7907077ba1b400fce0df17254c

SHA512
1e9c7b455546daaabdcf3b36dd7ffe3c2d7306444e725cbd93fdf0b694f428f1f82131369c80c38929c47e1b2dd173cb9d65bb240bc0ef11fe3e202c8ede6102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c495a39e8c57de0826093295276739c5

SHA1
5806dadd89ad6ad86a28074a32e6ad3bfb67ae30

SHA256
b356e8d372df2a435eb4a558dbed94b42720c10a3b090bb91ea9638606f369fe

SHA512
1b68b4edbdce1b393e1f46f8e28a22756ce554a6137851ab1a582572d4d84d0aa6b41d7ea7120982da1d52d7d8950195f41d48a25e392d366534941d792bde81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jo6pN03.exe
Filesize
3.8MB

MD5
8f20f82e55f613e3387d8a4393d84415

SHA1
1fbb59f002e77b5608e555d5fb856ec649a94128

SHA256
fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e

SHA512
3596ff1cd6012bc0c3f6a8f928dc124499b2c64406ae8e99d994e84c6f8e817869adb3c23a1ca221a418521dbba2592bef264c43514a0dbab794d69b57af3f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HX6eg45.exe
Filesize
2.4MB

MD5
b56c9c48c9be9fe4136433ba42ff386b

SHA1
ca41a545b363d093d54478164341a674d14fc20e

SHA256
6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de

SHA512
cd0d1d2515ddfa2f82c0a231ac628087ec07e12ae18f16725c8c00f143e42babbdf6fdaa364c3a73995b11c500229ed2b80fb0b49ee9c053b27d00c0318b30f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aq8fa68.exe
Filesize
2.0MB

MD5
e1ca89e321f8198d4253c9178eb523ff

SHA1
fe072ee589998082c37b054c4d8e4f0a6aa4eeb7

SHA256
3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a

SHA512
af0d2629e4fce28b141f77762d351ff64c64fc965b9fd51bad073948841c6ea19655e34a7d1aed30837c67cac6e0e5f8af52e9eca07d58a77fdf3d213cd59f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aF72hB0.exe
Filesize
894KB

MD5
3e82adb682d9d441331dde8a3c888f6e

SHA1
6dc1fe6731402b85d721946e65559a375878a3e1

SHA256
4b87018ae58796055ba9ae76bc21519c1e51f7dcfa79344b27047efec6d9d666

SHA512
f346d6eea780ae0cf5faf8fcbb7815a0c461de710a013ac5106c9eaad31dd778765c8709550911921653a13c3e94e5d860b472a671944b51edfa840c019ccca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Xd7831.exe
Filesize
1.5MB

MD5
fb69bac77dd5e98885e6caea73271736

SHA1
51ad255e0b6ffe879375c4cda30f8791a13e1c55

SHA256
302f18643a0476b96ae334230de72d315f753902124fbb9b97d73d73941eed7e

SHA512
3558688f41a573793d4d717316b1243d1371bb02f7f2c41a5156c60fdbc66a38ab36ce0f3c57f6fb4f4da5b546b6f18eff663d5647829432c02ce2693f856716

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h5y1mnep.xs0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_4656_LJXTMNMAVQSSTXKM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2368-72-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/2368-73-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/2368-148-0x00000000070A0000-0x0000000007143000-memory.dmp

Filesize
652KB

Download
memory/2368-154-0x00000000073B0000-0x00000000073CA000-memory.dmp

Filesize
104KB

Download
memory/2368-153-0x00000000079F0000-0x000000000806A000-memory.dmp

Filesize
6.5MB

Download
memory/2368-157-0x0000000007420000-0x000000000742A000-memory.dmp

Filesize
40KB

Download
memory/2368-163-0x0000000007630000-0x00000000076C6000-memory.dmp

Filesize
600KB

Download
memory/2368-170-0x00000000075B0000-0x00000000075C1000-memory.dmp

Filesize
68KB

Download
memory/2368-211-0x00000000075E0000-0x00000000075EE000-memory.dmp

Filesize
56KB

Download
memory/2368-254-0x00000000075F0000-0x0000000007604000-memory.dmp

Filesize
80KB

Download
memory/2368-279-0x00000000076F0000-0x000000000770A000-memory.dmp

Filesize
104KB

Download
memory/2368-280-0x00000000076D0000-0x00000000076D8000-memory.dmp

Filesize
32KB

Download
memory/2368-137-0x0000000070330000-0x000000007037C000-memory.dmp

Filesize
304KB

Download
memory/2368-56-0x0000000004AC0000-0x0000000004AF6000-memory.dmp

Filesize
216KB

Download
memory/2368-136-0x0000000007060000-0x0000000007092000-memory.dmp

Filesize
200KB

Download
memory/2368-87-0x0000000006600000-0x000000000664C000-memory.dmp

Filesize
304KB

Download
memory/2368-62-0x0000000005290000-0x00000000058B8000-memory.dmp

Filesize
6.2MB

Download
memory/2368-86-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/2368-74-0x0000000005A90000-0x0000000005DE4000-memory.dmp

Filesize
3.3MB

Download
memory/2368-147-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/2368-71-0x00000000050D0000-0x00000000050F2000-memory.dmp

Filesize
136KB

Download
memory/4524-50-0x0000000008C60000-0x0000000008CD6000-memory.dmp

Filesize
472KB

Download
memory/4524-378-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-425-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-426-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-380-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-390-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-392-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-401-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-453-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-313-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-379-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-427-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-428-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-429-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-42-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-441-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-31-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download
memory/4524-345-0x0000000000170000-0x00000000005DC000-memory.dmp

Filesize
4.4MB

Download