discordrat | 85a287edb6eeb66eeada945ff71c946a76171be92244071c07d0ac5553d96cf2

Resubmissions

28-06-2024 20:12

240628-yzbfms1blg 10

28-06-2024 20:10

240628-yxrpvatenl 10

28-06-2024 20:02

240628-yr991atdlp 10

Analysis

max time kernel
2160s
max time network
1887s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
28-06-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

c053ebb3f0f90a7705729579d25dd194
SHA1

fe045f0584ee3656af1e89a6ca37ef68e7f252a3
SHA256

85a287edb6eeb66eeada945ff71c946a76171be92244071c07d0ac5553d96cf2
SHA512

a5beac0ec0b1ecad655f52555ff83d756169335be383bd2dd4310b4e9d2120fb939ed42116554ae1544ed9db56a3846d6ca0369d2af0430a8d7c3717e2223854
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+nPIC:5Zv5PDwbjNrmAE+PIC

Score

10^/10

discordrat evasion execution persistence privilege_escalation ransomware rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NzYzMjcxMjk1Nzk1NjE4Nw.G3MXNZ.B896PWyca43CGShZp7WvFVoaKLYOSP1no8IyaM
server_id
1247637478639271976

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Client-built.exe

description pid process target process

PID 468 created 636 468 Client-built.exe winlogon.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4876 powershell.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

NetSh.exe

pid process

2836 NetSh.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	pid	process	target process
PID 468 created 636	468	Client-built.exe	winlogon.exe

pid	process
4876	powershell.exe

pid	process
2836	NetSh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs

Web Service

T1102

Processes:

flow	ioc
66	discord.com
72	discord.com
78	discord.com
7	discord.com
58	discord.com
61	discord.com
64	discord.com
79	discord.com
84	discord.com
4	discord.com
29	discord.com
69	discord.com
73	discord.com
6	discord.com
27	raw.githubusercontent.com
59	discord.com
70	discord.com
62	discord.com
71	discord.com
76	discord.com
77	discord.com
3	discord.com
60	raw.githubusercontent.com
63	raw.githubusercontent.com
65	discord.com
82	discord.com
85	discord.com
75	discord.com

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Client-built.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpD43E.tmp.png"	Client-built.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Client-built.exe

description pid process target process

PID 468 set thread context of 4860 468 Client-built.exe dllhost.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceState\EventLog\Data\lastalive0.dat svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 468 set thread context of 4860	468	Client-built.exe	dllhost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceState\EventLog\Data\lastalive0.dat	svchost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

NetSh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE

Modifies data under HKEY_USERS 13 IoCs

Processes:

OfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 44 IoCs

Processes:

Explorer.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Explorer.EXE
Key created	\Registry\User\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\NotificationData	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe1100000032e6601a3c92da01534097b24192da01534097b24192da0114000000	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Explorer.EXE

pid process

3300 Explorer.EXE

pid	process
3300	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeClient-built.exedllhost.exe

pid	process
3920	msedge.exe
3920	msedge.exe
4076	msedge.exe
4076	msedge.exe
468	Client-built.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
468	Client-built.exe
4860	dllhost.exe
4860	dllhost.exe
468	Client-built.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
468	Client-built.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
468	Client-built.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
468	Client-built.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
468	Client-built.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe
4860	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3300 Explorer.EXE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4076 msedge.exe
4076 msedge.exe
4076 msedge.exe
4076 msedge.exe

pid	process
3300	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exedllhost.exepowershell.exeExplorer.EXEdwm.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	468	Client-built.exe
Token: SeDebugPrivilege	468	Client-built.exe
Token: SeDebugPrivilege	4860	dllhost.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	432	dwm.exe
Token: SeCreatePagefilePrivilege	432	dwm.exe
Token: SeAuditPrivilege	2576	svchost.exe
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	432	dwm.exe
Token: SeCreatePagefilePrivilege	432	dwm.exe
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeAuditPrivilege	2216	svchost.exe
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	432	dwm.exe
Token: SeCreatePagefilePrivilege	432	dwm.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

msedge.exeExplorer.EXE

pid	process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
3300	Explorer.EXE

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

msedge.exeExplorer.EXE

pid	process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
3300	Explorer.EXE
3300	Explorer.EXE
3300	Explorer.EXE
3300	Explorer.EXE
3300	Explorer.EXE
3300	Explorer.EXE
3300	Explorer.EXE
3300	Explorer.EXE
3300	Explorer.EXE
3300	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3300 Explorer.EXE

pid	process
3300	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exemsedge.exe

description	pid	process	target process
PID 468 wrote to memory of 4076	468	Client-built.exe	msedge.exe
PID 468 wrote to memory of 4076	468	Client-built.exe	msedge.exe
PID 4076 wrote to memory of 2568	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2568	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2340	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 3920	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 3920	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe
PID 4076 wrote to memory of 2992	4076	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{186b24cf-f8ca-443b-8d7b-02cb24c246f1}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1380

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1900

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1368

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3300

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa791b3cb8,0x7ffa791b3cc8,0x7ffa791b3cd8
4⤵
PID:2568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,4865888366059660709,17790995100864661263,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
4⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,4865888366059660709,17790995100864661263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,4865888366059660709,17790995100864661263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
4⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4865888366059660709,17790995100864661263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
4⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4865888366059660709,17790995100864661263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
4⤵
PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4865888366059660709,17790995100864661263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
4⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,4865888366059660709,17790995100864661263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
4⤵
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2076

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3700

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1592

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3104

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
816B

MD5
5d3839edc0def46be5366a573d213c89

SHA1
1c82aed1c360013876f0df2aa7425938f9e9936e

SHA256
e1db6b8a17b545e2d3e3b6b849fb06994d1496e0a2f1047ae0b3fc64692f54ce

SHA512
30fe8e225329585ab50f488757d074e3a4ffe05f6043bbbd069713c875656c0be0911decb0f1f994812258d4c832bd27be66a70eda5c1c934bb2a5d085d1344d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
e2020b9c99dfc794853af7ce4d70ebd5

SHA1
ede4def955cac0955ee0bfaaea316c9a65d2986f

SHA256
b176740cea9670485e8176af32f34bbc8adb0ec18ad390dee375cb84d62a6edd

SHA512
46aecb53e1d0593359cebcc8e7e75a63f9b1561889f2c7189b1a8791bff3229ad8f92ea891b4e58798ce90c36d6e9434a8edc54434ade815fd34cc8f45a6263b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
12b66a51119837decf9a4eac538f60a1

SHA1
feb073a1241925e2d95ab5efac4c91f882121c0b

SHA256
942335973ad098a61082a6cb8bf438034e8182eee70e201e88fe9df702fe0d77

SHA512
dfd8449aa97ca312fda8671f02006baa43b05b86a3b0e95e22000e3f48ee08d4ac89f8322a88a5eac47a7cb5f862b06a948b6f16ea7278dd96940ff7b59a8c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2a21164224195e9c504e68578304100a

SHA1
9d6c4e0e690c81c164356c1fc9d0f1a91fea1674

SHA256
2eac7b323b7c525b3f9245e534111f81f03c2f167eb9918b9b70707d43d5447f

SHA512
df2899ec11db054e170da89065f86d9f56ed5f494aa715c9aa30cd5c46ed067766226e4a29afdf84a77932df9131523b2e82788737b4cb3ee46f4372758ba2d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
5c4121438f10ed06f28fc8ea3a15ee07

SHA1
ceaa7e9f1878f7586af6b24de548114a5ef87357

SHA256
20c89d5ea3eaaeeb8956b55c3e03d64bc84ee0ccd9a5914b6be21e3d0ea430b5

SHA512
41d3b8cc252c85e2a277546336c08096de14cd1e0b7fd578bac2372b052d9a85e45aa8c7e1cecb6daf311e27a658a65c97047743f4ca91f97891656eef486a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587f2e.TMP
Filesize
48B

MD5
b9bddbc305d9a73a856ee95888a797de

SHA1
c67ab82da7adbf8671437e5654958a5b47f5f609

SHA256
21302d6de066848461e244a1fc8978285d92f10d33787d87fd6d5f3fdf440630

SHA512
f4e8dc65aa9376ebd7e5bb0670dc6a54aad4008a5d1504e8421cb953cf2221a1535c24cb319df264a77789df7396fab87a88d5cb60d1480bf79c998e09c7bb0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
6d94eb4178d695b91b2f1199c610dbc7

SHA1
6535f284154406088ca63470b9d71fe6bf11c957

SHA256
a87d979d5f249caba4b9eec886d3e2bc1516d7f74796646af8bbfd4c9b6f05fb

SHA512
893f20d47245899e7f2ed21d42da1f4e3bc11d1038a317905c6728419f6ff40ebeb148ab8e775fa037c8787845363e5e5a43866fee9cb2967ea88fcbb535e8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5ujueii.trr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD43E.tmp.png
Filesize
40KB

MD5
5fc2f9ad7b2e58828577319379faf963

SHA1
5f0d8a3e38ba9e4ab98ce576daa5be1103209de3

SHA256
462228cb298dd2512b5df3ec31d1b1bbe7136fe6a480f3643e64b29586893e7c

SHA512
44e460325244a3994cfb4d839dbb16baa64dfe97de511ee5a2e1a87d1f6ee9897fca662501459b738ca13aa6fa939c63952ef8d2540318a7afff46e1abd52fb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
Filesize
62KB

MD5
e07a089a977c46136f6dbbcfc7be3693

SHA1
3b2dc89ce6c9269732f2c324b4b3f86eb82aed62

SHA256
71b6d4b1cb456f0956e9205d670fff20387ca17eab8f80b8bab2eec034f7557a

SHA512
947001f0a8ef1db8891afda6f58776e30cbe844d7799de934879a9f415fbeb6cb5d6c0ff7999db6685bde1264efdfea06cffc0e604797a467b9281c6c7c20b61

Download Submit
C:\Users\Admin\Desktop\AddResolve.eprtx
Filesize
195KB

MD5
25edfaf1c076754e9f099d2b384fd436

SHA1
c8ffbf8ec6a624745872297e01370169974d6bec

SHA256
13f8149b2334387d85644a1b4bff9fe6ff51c9fc4a7cea37f0c0960bebf973f7

SHA512
154337f13074bd6f1d904af4d32ac10dca4659409e55fb23c9b392844f7339e12ec21d12904df0b6649181e877fcfe7aa567f74d30f0a4ca375f6a2e2e701d68

Download Submit
C:\Users\Admin\Desktop\BlockImport.xlt
Filesize
297KB

MD5
e534dc088c2af4015513af36c0105144

SHA1
64d919c40284b0e0dbab011593c5ae9b903df900

SHA256
cd579f2760da2cbb5d1a2daf6aa05e89843d2d307d8e9c4acd1b8febfd8fc964

SHA512
2c7f650e2859692c3bc35978ebe96fd609df4d1ab202de5acb489c06ce8ac4f7b7cee0f16aa44f3accacaf2b77e602be08f283717fcdd186564edcd8006abde3

Download Submit
C:\Users\Admin\Desktop\CheckpointConvertFrom.htm
Filesize
188KB

MD5
ec16832764d9721edddfc0926f94bef7

SHA1
014f9fb7573da6a5f1eea81073f047f9a417de1b

SHA256
22e48731d5b0c8973565e05ba31d652e91636d5b4aceab3029e6d4a4c6b1314b

SHA512
70e006ababa481b3c467e2c118e9b1a07b86bd69dcadf6e88871e0b5b421b3ddae65c3f75917b6b3b710bd593cbe52c0188a36e4dc7cae3c2cd2b1124c465084

Download Submit
C:\Users\Admin\Desktop\ClearUndo.mov
Filesize
203KB

MD5
21d2fd7b35bc21bfb42fee270c8048f7

SHA1
b454f1eee144a8165e222f5b9f99397ebaed642e

SHA256
83d8a56e7eb1cd92c6f512e02f02b76b1ac4251a00d4fabc715e196dca8434bb

SHA512
693763954f90d9cf6755373a5f792de1a1e79b87f88dacaa03a61060f4e0b99ccfebde74bde6abe7de46ac2799660fa25f262e007d53950dcb3d0c10ae5214e4

Download Submit
C:\Users\Admin\Desktop\ConfirmCopy.m1v
Filesize
109KB

MD5
0c895731aade9bd043d4a7c1c9bc29ca

SHA1
a24522e797eee6072030c44f924ec1f11c6b9de6

SHA256
9fff73a2964c7b5eef6ebbcb4c491ddd01c18a7edf48383e07f6d288487c31c7

SHA512
d44018a697c2329a1fe4a400c989253f0d725f9332aafcf5b8076babe510b90a0e8e9144d1548b8b5a2474816236dba94a2f5036c7d911c62981910e90e40e3f

Download Submit
C:\Users\Admin\Desktop\ConvertEnable.pptm
Filesize
180KB

MD5
ad781833daa248045e26dd7899873240

SHA1
36793e7ecc2d2e1de5b06afc23ce5e3208a4abac

SHA256
0cede6e1c50f3087b3e3f1ef50501879dc8f1e84cd1d860bd2f440f459c9341b

SHA512
bd6f7fd80fe12dc7c00863f319b30a72199ad7633bae9ea48a14429df0b10f18ae0fb840727f9871e56687dfa36473e1d4a5319e35e44c78a54f5bf6321641d9

Download Submit
C:\Users\Admin\Desktop\DenyResolve.mpeg
Filesize
289KB

MD5
d58d20a2e264dd8494734b8a3a9820df

SHA1
5f63b407a4f55960719d91d594825f7c25fcccfb

SHA256
a35a119dd5aa7eba6d4f69b52ae8708190bdb8a6f31ec67ad0c793d848b78a8b

SHA512
d4e7d21f66b88c9203c39fc92fe6c343886cb3df0fc538a1bbe4e4ece87d9a6f3c67f427930497dac7e9c9ed2700b8c0d7279eea14c808091e964abbd677848e

Download Submit
C:\Users\Admin\Desktop\EditOptimize.iso
Filesize
219KB

MD5
372ddea3d7ff2dc18254548474ff11ec

SHA1
77513cc257935eab31a9a8fbf69506bfdac25059

SHA256
326c90f19957bdb367fbc1bc9ec8ce4d63ce9b504bf00865d362863cfe05ad16

SHA512
01a5aa60482d45287cafbcba0d6c843c9f163580b330e62f134026c49e8560a80ffae2dda3f16f1597b54b4d600b63e439ed9d71d3e3bbecc5577540ed2aa032

Download Submit
C:\Users\Admin\Desktop\ExitRename.lock
Filesize
282KB

MD5
1ee289acb67a4416c6ddf81a6720c8b5

SHA1
e18cd94e84caadcc2214ff91b69295452556cded

SHA256
2fb281d1827a1b5b2d2db8df45e9a01299e2e769b3fd29940b8d98f144658b22

SHA512
74f63d6ce0d395c34b8f2949e020718c8bac08ee370798bf899d055b96a894379ef008476e56dbb1660b34c2eecd12658161372130041d8a584b03b2198c261b

Download Submit
C:\Users\Admin\Desktop\FindProtect.jtx
Filesize
250KB

MD5
b2cc099a67e1f2a78428c8efebfc9526

SHA1
c4557c0a0679abd433488babf3f5758c52a9e68e

SHA256
884f81f350ff9765175c598651fd6e02db70d2bb3afdbd3f4c1d61a866f88076

SHA512
c3a3c50403ce67c1f7b26f5cc25b7490a000c7382d44b6a1a38123c357b2be52c1d0f66a03d592b234b8ad045a3b3870619a4a75d1baa57f011dd3195a416dbe

Download Submit
C:\Users\Admin\Desktop\GroupSuspend.odt
Filesize
313KB

MD5
6afce5662d7a7c1a9b7e7efdbcb512da

SHA1
333380f8c996a590a3b13e93d0db750f378c0468

SHA256
3324c793572873aba3f4430864b857d522c0b888006e9ab2b92b142c78c3277a

SHA512
246e16ab70886653863c5772014cf3efbdace2b91c54af772c4fbdca9577b99c888e4ab4c83181b8f9424a11984b466aeae9ed2485b13b2735aa5b19c750c1dc

Download Submit
C:\Users\Admin\Desktop\InitializeDisable.ADTS
Filesize
305KB

MD5
2dc774c61641106fcc033be1bce3773b

SHA1
63ad80eaff79bc383351332fc23361c0a02fc9a7

SHA256
2cf927099cd9d83754d0cc772a4c5459c83aeb0bf1e3c39d9369e47df6d406a6

SHA512
ff76cacd3518dc09533b96f0723ba29e02bbebe186e1f81777315b7dd49002258fec58115cac432f8223961ec1304c84481466a63578e4a25c78ba6c7bdc408e

Download Submit
C:\Users\Admin\Desktop\MeasureCompress.midi
Filesize
430KB

MD5
427b57575fce72e3fa3d5ef6d98f7454

SHA1
0b66f24a6a8ca93ac9eed37cd18b163af7eec77b

SHA256
d6e2aea9fe744b0c207b62cb44c02c48d628d32bbe13ff6c07bf5b8936e879b3

SHA512
6ac4b5c83646f8237440d70973fb7338fdd42d5c1f0db50b0478f3e080c48adc2ab69ffb3e6e9a66a240d48a984b6a73434db214f0adb711bfadfe6b25e5ee56

Download Submit
C:\Users\Admin\Desktop\PopResolve.lock
Filesize
258KB

MD5
613e99614e20678b7b17ae2c2d0cb4f1

SHA1
72abdd769410f8e1a0dc863b0087a0182c3574e5

SHA256
ab5025a3c3a2d31e9d592ded629d8b153a316321b2fbec48af5f164e3ecc91de

SHA512
d026e1e2fd0f4b076115e0a3156add3a7baf2e62ecc55a96469439bb9851dba1b24878f9bc6219399e2493b6177923d2bd423c12b2c46f1a20fc5ea1beb9a47e

Download Submit
C:\Users\Admin\Desktop\ReadAdd.mhtml
Filesize
125KB

MD5
bf1b1442292aea723fda91c5a917fe17

SHA1
bea8f362f2c07e5c7cba668e258fee8b26432bc3

SHA256
3ffa6299702fd66717211861301e559814d0c6e7dfd78c00a0d0d9773e43c8de

SHA512
6ee255074a841bd096c54702b11b1f86548d8f08ab7ba5733b77ee87d2778ec1b4f7df72f7f33c16ae756f665b5f5b16435d5ac4a0c8b61ced6507ea0ac14c69

Download Submit
C:\Users\Admin\Desktop\ReceiveFind.php
Filesize
148KB

MD5
f28203faca25301c9223d8711020965a

SHA1
4ee5d07bf69d3c97fe322a13ff81fd906b61f863

SHA256
84fd86e0921d5c5bd72a65c3a4f60f460be56d592bf3470eabc00523d3c12cbb

SHA512
cedebbbfb48a3e211ad87a8d8cd15a45cad1bd3a27c9a56c8043457e428f52979c337eb3d86b840910f06aa7a6cbeaf2625d4b5067e0146c4ec9871b65616f0d

Download Submit
C:\Users\Admin\Desktop\RegisterExpand.wmf
Filesize
141KB

MD5
f6cf7fd841bf6621c6e9bd00b100ffa7

SHA1
f679a351ba6d30e8012f8ecbedeab240b5e5879b

SHA256
c87af215f0424e57aba3e3f2359c9f3790815f11ac5951d942297cb10f8e3c73

SHA512
2413114e48cb21619e8873248a8c25d15cbe3d0682db3484d600d0508ee38b28d6a16840f0bc00783c7260a6e1b8c36dd724cd8e07b88a2c21677d75441d1a8e

Download Submit
C:\Users\Admin\Desktop\RepairJoin.xltx
Filesize
235KB

MD5
12cd234116a0da389167bde96d9355f9

SHA1
c8c64f5ea3ebdce4a5b1f477c68c3c3b24ce42da

SHA256
78f0673c01571e55dad1c203fbb5ef6b6a75daf63bf9235d01101c3fad25abf6

SHA512
165e593d50230bc0d558ea8aad721782ed9a0d22c5ad142a2bc4d38639ab61ce05bfb5344b8e61b8ee79a06d197e31a9ec6dc7ca7aae691d94bf7a833604e9a5

Download Submit
C:\Users\Admin\Desktop\RequestUndo.ppt
Filesize
117KB

MD5
64a633378dc530c39198e904cec53028

SHA1
e6c35aea1c9b762e64f1221600d22e4d5115424d

SHA256
c5c979f26e3a53d11b7c7ea3a511bc7766eccf6059436fc63a4020ed8fd1c541

SHA512
a288858e6b894d89aba7a15e4b801197f7a155f40c27c2b4a3e0d3387873094a4fe58b4ce1a65e1ebb112d30ff45504a7ce554c7cb805d2bbcba3de57f117804

Download Submit
C:\Users\Admin\Desktop\ResetCopy.dib
Filesize
133KB

MD5
c21f81105e8feaca2e366f36b7a1aa87

SHA1
6b2eb308a2750cad5f889134ce7d3be9987349c7

SHA256
b1200618b2d72f9497121b1919dcafeabcafc5027aa2e33b657bfa46d1730034

SHA512
02607dfc5cbc6310625b7dd5c89375ad64fc3a69b074247a728557f815bfb225bee853dd1189d7c604d940704092c79ac5b9bfa00865d33dc2dbf7e018fcb5de

Download Submit
C:\Users\Admin\Desktop\ResolveImport.potm
Filesize
211KB

MD5
8bab65836889c6dddbe0521365dcee1a

SHA1
dcf10004570017bbcfb56376e718f6e73eb13b4e

SHA256
6f87cc5e76272800fae4f4666c004bf40e4cafaeece8f92111ee31667e527a23

SHA512
39b8c31abaf8162e43e1bd9ff2b82901450ab253a0323ade2a5d745d471bf4beb0d2a83a8f729ff0bb417297703d5a58a9391bd4a12c3ca450ee86166066ba6b

Download Submit
C:\Users\Admin\Desktop\RevokeGrant.MOD
Filesize
164KB

MD5
3764a8366638b276b73ff7cdecc48730

SHA1
3cde34a0ab287b14ca3d6aa3472230d70415c095

SHA256
aa6e1997dfb5d38cb3b3db2468a5fd0b0201f9ede55f50a83b996c4e8f7af3a5

SHA512
8d205b0686bdf7617c1b2d657821706d06e0d69c8845be1784d5749ec624f75ccfa83a3486678d6075cd71ef2ace1632547d4a13d89234714798960994ccb99a

Download Submit
C:\Users\Admin\Desktop\RevokeInstall.txt
Filesize
172KB

MD5
af3d8da8fa4f944ba17bf7c75919930f

SHA1
0f3048a5698a3cb40e41855c0ea57f8d6c21d73d

SHA256
43f6504dc8e1b8a23d83270c8f2ee45bc40dd1742708ae36643568faa716d2a7

SHA512
edaebdd82c2f050158714f7d46d58309e254e262c2d13a2fc758c37b7cdc6105c12eb8bdeb6baff067f68dc529a18cb87ad2f70cadcd13be2149a167ef80f098

Download Submit
C:\Users\Admin\Desktop\SyncSend.asp
Filesize
274KB

MD5
da9c91fdec011a31aa83a6b8788f5af7

SHA1
3ae18751d50869412a3ea6c8d9a1d3abf153683c

SHA256
502235f18da7508c3b60cabb66cbcf9ab9494d1ef1741c7ef8455ebfeb213f5f

SHA512
59313ea582f9872fdd88a54bc471bcbdad35690718f4776bcd288cbc0a3f36f8981edda763eeafcc011571f5e881c1bf9b495926055dc240156539a37e29ce49

Download Submit
C:\Users\Admin\Desktop\UninstallWatch.jpg
Filesize
266KB

MD5
ff3fe166c489417b7a5ac4331753f2f9

SHA1
e1ddc9c6fa84363acbbdc7a5f6e6a45ba6fad2a1

SHA256
5794442ffd8f1d460b6d91a392d4fedc71b9e54df0b20b65bf85994b5ba6145f

SHA512
18414fea1502ac74ef2d0b3a8c93cc3ee5e31671a73c54e7374315166b3893dc83c54178e731032702e947cd525f0d09d783df9025048e186534a19dcb10701d

Download Submit
C:\Users\Admin\Desktop\UnprotectClear.ogg
Filesize
227KB

MD5
01df5b47985e10e06039a6fa64f68669

SHA1
9e4959220948c69e3770f27f931f6c759a5060f8

SHA256
d4203507ba656e7708d5b9ecb7cc35056fa51a3c839eacf427e6503c76d228d2

SHA512
6605333e4115d7c116fcf16c7b19f12a34add01d22fe953d4528267caec24758f75b0f1107e78ffaaa50991090f320d38dfb0b841e49800d99fd84cc22fa9fec

Download Submit
C:\Users\Admin\Desktop\WatchHide.vdw
Filesize
242KB

MD5
e15318d0f5f355d74ac76aae7df43e6b

SHA1
5eb0618fddea0ee9226be245076cb09fa2290092

SHA256
172e92a157a9b4dd2b328300ecc357585ec4a2e49c924506d97d8ae880bcfe52

SHA512
dcb4ea623c22e9e8ad27064773cfcb0d85e686c7d384a9766159abdec851d0f1924babeb70e07d90c66e0cb3ba9b8e023ebbdc60bf99337dba0b20b02e580a20

Download Submit
C:\Users\Admin\Desktop\WriteDisconnect.wma
Filesize
156KB

MD5
cbee7e27df5eb724567e2861c508db23

SHA1
2ad865b39302245fb7e2ad2955f86e308f66335b

SHA256
feb726e0c89e28a6e9adf251b18436bfd9fe306c7f5b6825fa335f2fcb3b2421

SHA512
6958206530bb658dc14df1fe9070786ecd5586a8274c1e4a30a4e2aa66d20832a62173fa3df0395ae1928c3850d8f07eeb9b7db4301666fc2eea4e82d8e5506e

Download Submit
\??\pipe\LOCAL\crashpad_4076_XQETNUOVHEOMFBXH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/432-260-0x00000255A22A0000-0x00000255A22CA000-memory.dmp

Filesize
168KB

Download
memory/432-262-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/468-5-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/468-244-0x00007FFA9CFB0000-0x00007FFA9D06D000-memory.dmp

Filesize
756KB

Download
memory/468-242-0x000001F433AA0000-0x000001F433ADE000-memory.dmp

Filesize
248KB

Download
memory/468-241-0x000001F432BE0000-0x000001F432BFE000-memory.dmp

Filesize
120KB

Download
memory/468-240-0x000001F41A1F0000-0x000001F41A202000-memory.dmp

Filesize
72KB

Download
memory/468-239-0x000001F433A20000-0x000001F433A96000-memory.dmp

Filesize
472KB

Download
memory/468-616-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/468-1-0x00007FFA7DA33000-0x00007FFA7DA35000-memory.dmp

Filesize
8KB

Download
memory/468-2-0x000001F432C00000-0x000001F432DC2000-memory.dmp

Filesize
1.8MB

Download
memory/468-243-0x00007FFA9E920000-0x00007FFA9EB29000-memory.dmp

Filesize
2.0MB

Download
memory/468-3-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/468-0-0x000001F418480000-0x000001F418498000-memory.dmp

Filesize
96KB

Download
memory/468-4-0x000001F433ED0000-0x000001F4343F8000-memory.dmp

Filesize
5.2MB

Download
memory/536-269-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/536-268-0x0000022A47330000-0x0000022A4735A000-memory.dmp

Filesize
168KB

Download
memory/612-272-0x000002384FB70000-0x000002384FB9A000-memory.dmp

Filesize
168KB

Download
memory/612-273-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/636-251-0x000001AE3B8B0000-0x000001AE3B8D3000-memory.dmp

Filesize
140KB

Download
memory/636-258-0x000001AE3B8E0000-0x000001AE3B90A000-memory.dmp

Filesize
168KB

Download
memory/636-259-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/688-253-0x000002C58E990000-0x000002C58E9BA000-memory.dmp

Filesize
168KB

Download
memory/688-255-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/1000-265-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/1000-264-0x0000023D334E0000-0x0000023D3350A000-memory.dmp

Filesize
168KB

Download
memory/1040-279-0x00000232335D0000-0x00000232335FA000-memory.dmp

Filesize
168KB

Download
memory/1040-280-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/1048-282-0x0000029C51E90000-0x0000029C51EBA000-memory.dmp

Filesize
168KB

Download
memory/1048-283-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/1140-286-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/1140-285-0x0000024AC39C0000-0x0000024AC39EA000-memory.dmp

Filesize
168KB

Download
memory/1204-288-0x0000026B26CE0000-0x0000026B26D0A000-memory.dmp

Filesize
168KB

Download
memory/1204-289-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/1248-293-0x00000243124A0000-0x00000243124CA000-memory.dmp

Filesize
168KB

Download
memory/1248-294-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/1284-296-0x000002171EFA0000-0x000002171EFCA000-memory.dmp

Filesize
168KB

Download
memory/1284-297-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmp

Filesize
64KB

Download
memory/4860-247-0x00007FFA9E920000-0x00007FFA9EB29000-memory.dmp

Filesize
2.0MB

Download
memory/4860-248-0x00007FFA9CFB0000-0x00007FFA9D06D000-memory.dmp

Filesize
756KB

Download
memory/4860-245-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4860-246-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4860-249-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4876-492-0x00000261EC370000-0x00000261EC392000-memory.dmp

Filesize
136KB

Download