553cfd502f672ddc071b7988611248a36ff1d0827973ba2ace2b1ff8bbecacf4

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

antagonist.exe
Size

120.4MB
MD5

5e48790a111de079ca70a59eb415ce1a
SHA1

2e6951e5e22dce6f89709d118852fc4f50d1e7a5
SHA256

aee04eb982ad0e23cd9c482a485ccf6a5a5bb0429246de4ab79f40f66d9b67b3
SHA512

772894e5c40d243cd5fe2df1a6555f7706181c514cd73234ea0db12cdbda447ff8c10295608d433303f19d84246d38f72bed6e9b17db31fc48f364563a5d79bd
SSDEEP

1572864:11f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:gasulbg8yTnbEOz

Score

8^/10

defense_evasion execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4160	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	antagonist.exe

Loads dropped DLL 1 IoCs

pid	Process
1916	antagonist.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zgBELbYHmeUJviN.ps1\""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3968	cmd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ipapi.co
9	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
440	cmd.exe
3772	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4568	tasklist.exe
2760	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638062477225647"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4160	powershell.exe
4160	powershell.exe
2596	powershell.exe
2596	powershell.exe
3412	powershell.exe
3412	powershell.exe
4704	antagonist.exe
4704	antagonist.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
3204	antagonist.exe
3204	antagonist.exe
3204	antagonist.exe
3204	antagonist.exe
5236	msedge.exe
5236	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	tasklist.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3968	1916	antagonist.exe	79
PID 1916 wrote to memory of 3968	1916	antagonist.exe	79
PID 1916 wrote to memory of 1232	1916	antagonist.exe	80
PID 1916 wrote to memory of 1232	1916	antagonist.exe	80
PID 3968 wrote to memory of 4160	3968	cmd.exe	83
PID 3968 wrote to memory of 4160	3968	cmd.exe	83
PID 1232 wrote to memory of 4568	1232	cmd.exe	84
PID 1232 wrote to memory of 4568	1232	cmd.exe	84
PID 1916 wrote to memory of 1504	1916	antagonist.exe	86
PID 1916 wrote to memory of 1504	1916	antagonist.exe	86
PID 1916 wrote to memory of 440	1916	antagonist.exe	87
PID 1916 wrote to memory of 440	1916	antagonist.exe	87
PID 440 wrote to memory of 2596	440	cmd.exe	91
PID 440 wrote to memory of 2596	440	cmd.exe	91
PID 4160 wrote to memory of 740	4160	powershell.exe	90
PID 4160 wrote to memory of 740	4160	powershell.exe	90
PID 1504 wrote to memory of 2760	1504	cmd.exe	92
PID 1504 wrote to memory of 2760	1504	cmd.exe	92
PID 740 wrote to memory of 2096	740	csc.exe	93
PID 740 wrote to memory of 2096	740	csc.exe	93
PID 1916 wrote to memory of 3772	1916	antagonist.exe	94
PID 1916 wrote to memory of 3772	1916	antagonist.exe	94
PID 3772 wrote to memory of 3412	3772	cmd.exe	96
PID 3772 wrote to memory of 3412	3772	cmd.exe	96
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97
PID 1916 wrote to memory of 4832	1916	antagonist.exe	97

C:\Users\Admin\AppData\Local\Temp\antagonist.exe
"C:\Users\Admin\AppData\Local\Temp\antagonist.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dcjwuxyh\dcjwuxyh.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AC2.tmp" "c:\Users\Admin\AppData\Local\Temp\dcjwuxyh\CSCC35A43898E8C45CE9EA0E2D68342FDBB.TMP"
        5⤵
        
        PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,141,247,97,18,0,223,25,105,159,95,1,13,45,223,226,244,76,155,218,204,185,9,81,102,32,42,219,93,217,210,20,229,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,22,135,125,102,183,6,14,93,69,8,241,27,19,68,141,0,52,65,125,34,2,169,120,13,12,139,71,183,106,227,160,96,48,0,0,0,53,194,236,4,4,15,128,129,74,75,108,75,254,138,31,104,162,74,131,235,190,140,141,225,165,187,255,143,230,9,24,141,75,152,31,49,159,25,200,114,235,221,10,94,100,162,164,91,64,0,0,0,160,2,159,108,227,0,139,100,90,190,144,91,160,16,0,118,0,237,223,39,21,94,23,207,116,182,141,19,207,134,155,38,28,244,48,159,24,116,68,156,9,108,110,206,16,97,118,23,190,47,18,79,251,223,252,102,63,250,246,142,53,220,95,173), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,141,247,97,18,0,223,25,105,159,95,1,13,45,223,226,244,76,155,218,204,185,9,81,102,32,42,219,93,217,210,20,229,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,22,135,125,102,183,6,14,93,69,8,241,27,19,68,141,0,52,65,125,34,2,169,120,13,12,139,71,183,106,227,160,96,48,0,0,0,53,194,236,4,4,15,128,129,74,75,108,75,254,138,31,104,162,74,131,235,190,140,141,225,165,187,255,143,230,9,24,141,75,152,31,49,159,25,200,114,235,221,10,94,100,162,164,91,64,0,0,0,160,2,159,108,227,0,139,100,90,190,144,91,160,16,0,118,0,237,223,39,21,94,23,207,116,182,141,19,207,134,155,38,28,244,48,159,24,116,68,156,9,108,110,206,16,97,118,23,190,47,18,79,251,223,252,102,63,250,246,142,53,220,95,173), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,186,59,106,159,138,3,96,16,128,17,122,8,139,244,254,106,175,103,37,20,249,57,194,158,27,178,137,187,116,192,25,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,51,236,46,156,240,143,65,80,220,246,189,52,39,90,104,221,208,87,182,76,56,254,202,35,90,104,4,211,157,136,246,34,48,0,0,0,236,136,210,242,56,175,158,131,62,105,152,134,63,166,243,205,78,109,3,103,229,75,107,28,226,76,68,224,129,151,35,136,155,178,159,173,136,168,183,248,130,255,73,20,171,117,100,54,64,0,0,0,105,122,195,241,66,118,127,24,231,89,139,64,153,192,36,27,119,201,84,191,71,217,202,229,245,17,171,106,172,111,14,159,154,23,121,146,201,140,245,239,210,69,138,85,51,152,9,20,64,9,10,136,255,245,250,138,57,107,104,198,95,38,18,158), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,186,59,106,159,138,3,96,16,128,17,122,8,139,244,254,106,175,103,37,20,249,57,194,158,27,178,137,187,116,192,25,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,51,236,46,156,240,143,65,80,220,246,189,52,39,90,104,221,208,87,182,76,56,254,202,35,90,104,4,211,157,136,246,34,48,0,0,0,236,136,210,242,56,175,158,131,62,105,152,134,63,166,243,205,78,109,3,103,229,75,107,28,226,76,68,224,129,151,35,136,155,178,159,173,136,168,183,248,130,255,73,20,171,117,100,54,64,0,0,0,105,122,195,241,66,118,127,24,231,89,139,64,153,192,36,27,119,201,84,191,71,217,202,229,245,17,171,106,172,111,14,159,154,23,121,146,201,140,245,239,210,69,138,85,51,152,9,20,64,9,10,136,255,245,250,138,57,107,104,198,95,38,18,158), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- C:\Users\Admin\AppData\Local\Temp\antagonist.exe
  "C:\Users\Admin\AppData\Local\Temp\antagonist.exe" --type=gpu-process --field-trial-handle=1804,14854573473970787146,11531675654154923791,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\antagonist.exe
  "C:\Users\Admin\AppData\Local\Temp\antagonist.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,14854573473970787146,11531675654154923791,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\antagonist.exe
  "C:\Users\Admin\AppData\Local\Temp\antagonist.exe" --type=gpu-process --field-trial-handle=1804,14854573473970787146,11531675654154923791,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2352 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff97292ab58,0x7ff97292ab68,0x7ff97292ab78
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=548 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:2
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3856 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:8
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4824 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4580 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4792 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4084 --field-trial-handle=1952,i,8720852615718179501,6336385960069500995,131072 /prefetch:1
  2⤵
  PID:5860

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault78aec281hf7e0h4fb5h922dhfd3cd63c0f5f
1⤵
PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9726846f8,0x7ff972684708,0x7ff972684718
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,7962142868531560437,8502647095943452121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,7962142868531560437,8502647095943452121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,7962142868531560437,8502647095943452121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:5312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
52cc110bb3777aa6bba7900630d4eb49

SHA1
3663dc658fd13d407e49781d1a5c2aa203c252fc

SHA256
892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6

SHA512
89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8b9049e35cd70a1c66e92a4f1011e332

SHA1
69aed5e25250e07d5ed265e0f4441aae9a167c44

SHA256
a398d25fe83f6d77a776340a54c10b39248def6c369e5f1dbe19424fd7e37eed

SHA512
fa3cf7a1738237f9ba4be4038f12f5a46d6d8838f28ebc30347229f90c0e88ba1d10eb13849c8e8f78dc431a9282b1353188f52286fc234fb26a2144b718a070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
11a9126fbb3a6e37d9861c5cf1f2ead8

SHA1
e76ec0e8e995b9663006cf6873210896f52b5dcc

SHA256
3dba7c12e6c2f6b844c63f7fb170a101e609e3bad362775f3aeb91695695ae01

SHA512
3c31c02068d8cc34034a37a3f2f88572ea001d73378fee50631c00ebb2af13357520d222c5c2d2807ea8f387b50c674e89b7aee1e1f2d8d06152ef7ee5bd10cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
74c56dfb4f371200b40bd2456c736e19

SHA1
d9f4f5e98d8c81b8bddb5d2bc7d2c0fa904d129d

SHA256
29a7ecc91ac19fd532122b06193e20180397f848ab425b1de1dc68004967589d

SHA512
f3ada7d99d38b880b4ca13c8de00ed7e2bec0f22e6f582664890ddeb868a487f942ef5275a7f5680d5a82017da6687092da85e0d8cebed1c0c0f467c24e1fb46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
a566fd8f626d6f45110a9e3ce6fa1a4d

SHA1
bc8114ef7cc1a571c70f17115cdf1ab3ec33c9c3

SHA256
133d57543f20af322849f45d6275f824cb42c29b93123418ec1c8f493910042a

SHA512
d6772738435cff790fad0ba34d8d9bbb60dc15d5c6731d579ff9f568230978782225ed600bbc4ad70b6e28e54ae2df64b3c921c7ac379486f0d9e20cca854e94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
92KB

MD5
8781235f1bdd7ce96e97f42e036cf4eb

SHA1
ed22725787fe01c6625d572e3b2fe3cca9273ad4

SHA256
f50804af9428ecd1e61ec7db3f92df2c451d3bc8634f77d87ebbada7f2332351

SHA512
d44f20cc3269f6be433837e2b3a8ce44c1b7385dda17141bbfedf13e8cd9617d6e8c421e75c345cc79256f2ad46f6e06c076b058ce993daa0e499d3417ad86c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe588671.TMP

Filesize
89KB

MD5
79d3c2dc0ba86ee539aa4e10cb25c623

SHA1
220d96d929c8b9575f4405ce1bf357731b9178cc

SHA256
b153ffe20d0d5b80959735561368d53d7a1617135de4a12f57d46f875d693a85

SHA512
54750c6ef7302f88967784b581f8ae535f9e440aab7e3d0167562ef2296edba0bd553dd0932f99136be0ebb1a8bfb7cb114f8ad5084c1b4573c3048bb6f4189d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f48896adf9a23882050cdff97f610a7f

SHA1
4c5a610df62834d43f470cae7e851946530e3086

SHA256
3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

SHA512
16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b167116ed409eb9e49b76049c22c9d3

SHA1
8abc2b0e6f2770ca17e0b668866d8196f1b25644

SHA256
1a5a3eb91bcb3b3425fa71e91299c0da28105ae8b2902bcea6f8bbe57d67606f

SHA512
f73847b4d702f676815c021d4c82906a28a78d8d2546dffb16786f8ed82be9462cfd5601f40d826df0d1f6f9bcc6cfd427a0b4fe81d84ed596879a59c703af29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c08d3aa8a1014c586d9e504c4e702b5f

SHA1
b7b10a9dc3a22d498ed979d1a6e2c11b9eeb9aeb

SHA256
6602f9867aa487fe4eb1538cc73a803d0e320817ad30dd1e871946111a92b2a9

SHA512
6a9552d026de9d23fdb952e7e2831ea10a409108052a6f97ccb781f897b5e7394417fdf947c4a31aeb28ab8a683e333373375a784af916099c6195cbdabe2472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
542c0d51398ac06472bebcd275dc6d0a

SHA1
a7129b4c8f8924c9e6fac4c169663129013868e4

SHA256
76de2844cb83ce15f6c4ecb6e7429d982e1d59569dbe7b397364104728f2ca8a

SHA512
403e99856b70eaf5da173e8f7cbab9803fec8d31f49c99fec4af06f699c797f29238e67b7036e6284b50d1c698a51e1a0e1507a44924b4f4603e7c1cba1e9c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\6984b65d-2430-4a99-90f5-76fb33854335.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admincookies.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5AC2.tmp

Filesize
1KB

MD5
44e8d51e7def1f2b854264fcddfcc94d

SHA1
14de8df7dd4d12773310cc47af4f444765262215

SHA256
81add4a66b357027338c871dbe5108c21d6dcfc44d331fa5d15128a25ee4a35a

SHA512
65225d201425887a7612680711f985beb5847e9ba46fb4d398ecf4f312c833b655699fe384d8baa8651c23eff33cb3b797a13cafa747cadc94e44d9183409cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jq1nzi1l.xzx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcjwuxyh\dcjwuxyh.dll

Filesize
3KB

MD5
706f721af5541dfd69b27921220a3fb6

SHA1
0aa72eedf9936dd5c2e87c829638fcce58a9d2b5

SHA256
20da0bf76a4671042129f823ea8f322e65b92563ad9e5f60f778417804b1f50e

SHA512
759ab35a6bb31688b12bbe97e797c04497a9c9e0c335bbbbeb1f0e13ad27f02ef127168fcf5d2923dcfc10006e3f22ff6302456f32c2e32d99c491318ae3fc4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcjwuxyh\CSCC35A43898E8C45CE9EA0E2D68342FDBB.TMP

Filesize
652B

MD5
7aa170adcd4293c194433798a7d9c51b

SHA1
45ec4987d05aa38457759f97a2d04350a4893aca

SHA256
d541083c1153db1136ed726feba9a97cd81f85c25fc3917cd4cdc74f05074878

SHA512
a01d93a06dc9e727e6e8192d8c897e016a3baca5236a1bcad1e20adadf1e73c81cdd06bc19cf02f905538742b73c0ca0fb6546825bbaaa4496fcf495fec02a27

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcjwuxyh\dcjwuxyh.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcjwuxyh\dcjwuxyh.cmdline

Filesize
369B

MD5
02a0ff4ae0398e1b50e34d9a8034271b

SHA1
52aebb934265254c103c2b40a346553b1c29d579

SHA256
324198fae66bb3a82d0bc7fbdf68cc7f30d51c735395dd68757bbca6929f2079

SHA512
7ba57a1b5a1b161a2574b2bb76ac641afa09123e147978e7a4fd80a6b3fa14af61fe3d0e60667a512a8451f1894587a24303e7275b00a6b97b93c19b8cc35e73

Download Submit
memory/2596-43-0x00000241A9640000-0x00000241A9690000-memory.dmp

Filesize
320KB

Download
memory/4160-40-0x0000028C0DB40000-0x0000028C0DB48000-memory.dmp

Filesize
32KB

Download
memory/4160-11-0x0000028C25DE0000-0x0000028C25E02000-memory.dmp

Filesize
136KB

Download
memory/4832-72-0x00007FF99D400000-0x00007FF99D401000-memory.dmp

Filesize
4KB

Download