hxxps://drive[.]google[.]com/file/d/1EeDZ17D5Hg4oG1T0fdu7OwQr5HD1voBV/view?usp=sharing

Analysis

max time kernel
102s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 05:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1EeDZ17D5Hg4oG1T0fdu7OwQr5HD1voBV/view?usp=sharing

Score

7^/10

discovery pyinstaller

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4312	astraware.exe
1680	astraware.exe

Loads dropped DLL 20 IoCs

pid	Process
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe
1680	astraware.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	astraware.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
11	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000800000002356e-178.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "184"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 74167.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4488	msedge.exe
4488	msedge.exe
3776	identity_helper.exe
3776	identity_helper.exe
6084	msedge.exe
6084	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5720	SystemSettingsAdminFlows.exe
3876	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 3268	4488	msedge.exe	83
PID 4488 wrote to memory of 3268	4488	msedge.exe	83
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 740	4488	msedge.exe	84
PID 4488 wrote to memory of 4924	4488	msedge.exe	85
PID 4488 wrote to memory of 4924	4488	msedge.exe	85
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86
PID 4488 wrote to memory of 1412	4488	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1EeDZ17D5Hg4oG1T0fdu7OwQr5HD1voBV/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92ff946f8,0x7ff92ff94708,0x7ff92ff94718
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1772 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6400 /prefetch:8
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1984,6011257647165683064,2568414611678986497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultf79ecd5ch9d24h43fehada3he2375603e33f
1⤵
PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff92ff946f8,0x7ff92ff94708,0x7ff92ff94718
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7782300838105837481,12449959562341362835,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,7782300838105837481,12449959562341362835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:5764

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TroubleshootActivation
1⤵
- Suspicious use of SetWindowsHookEx
PID:5720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3240

C:\Users\Admin\Downloads\astraware.exe
"C:\Users\Admin\Downloads\astraware.exe"
1⤵
- Executes dropped EXE
PID:4312
- C:\Users\Admin\Downloads\astraware.exe
  "C:\Users\Admin\Downloads\astraware.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  PID:1680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1a95e36ddb9b8e74c2747a3180e14860

SHA1
87cbe63a8378de8876269c08d5faac0df1e9b9f3

SHA256
937e495b0fb0fe818af6d045d649e555db5c16cf5999fb1e37cac3e3d2b87d47

SHA512
9cab35c4c45ba735d55260e484b3289443100b404fdf5836e00314d3a27f5efb264c949d686090aabcdac957e3e034f73b2816ca3f00ad434b87c0739a9d4a7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bbe020708f5a360984b6027354bdfcc2

SHA1
cf0404811f91b81a7251d500abf36ec9015176cd

SHA256
13a945f21d28b629bd8baefd981a8f41a4958b5137ed9ea2d3d7a9a91f44e1c9

SHA512
73f1fbfb1d2ca7b8df82f5d3d7ff2e3739d4fed9c3ebc49dee981b5d3c687a4680c9addabf59360af8b639b01aa72797bc762ef8cb1a47c887dddbfefdd8e258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
1281928a75693a8240f26325e75b94fa

SHA1
885c42478b6587a352148950093080f694ae0bb5

SHA256
dc9fd149d73b1a966bf217aeebfdf748c000334fdbacb1f865d0b55126d44f1c

SHA512
d1af4e767086d28a39ec99611d0baea400fcf2256e1a045c46da16e31b895954b34313d329df299de6365270908667d1759d3105ad46c2c8d4f244bce8dac638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
deec7e3d26e1d3a038327797eb493742

SHA1
bce7cb00d3064a561dfbf8754e19519c3be7e2ce

SHA256
ae3a06f9da5f396cdb28d6b6d22e79438c585afe800a89c1e3337b40852a3301

SHA512
8548076a70392b723e85234246a2e11c6db0cfacb88a33542ff6b68e32045e9c78314591b380c5465a0f4bd87bf7ec6cfb6985ad4f7b82a531ac2b8d5fe880b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0252cd882609120392abc272915116eb

SHA1
0902e59447d7f541e87e3bc8df23095037c2e212

SHA256
5c2e6636f4cd80119840d0f6a324d6d286fc33f080c2d3b42df075f91c87e482

SHA512
914085e5936f067ac5e1238f3b9d5709e39ac21acf006b3b29e0ba021237f900ef1d245fccfb0ef30818b9bfda2370cd5b758afa2246d0cccc3cde56cce58b0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
37cce9cd2b1d3976c2c30e07a2c0b514

SHA1
a528088d98fd06761244ff9962e19865765fbda9

SHA256
b67fc3ab345f2efe700b311514618183db3b11aba63632a9cbf77162f8fe2fba

SHA512
04ed950996ebd6799862941edaa9d9795531555b97bab5be2b3d4ad1f1e3d32a7a2f3a348efc34bc9a85cc90cecaf36a76838b8b198ab925c39686ecb6661051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b1b3db24dff615a883ec9b719c210dad

SHA1
c9602fc85ae10cf42b995a8016bb4c49f996e9ab

SHA256
829e3921e0191ae25f4e91476bbc92303c2e00f8f7257f3f4fe8703359b622e7

SHA512
0085aef7a43978e116952e3d87004c2382709e6cafa788621287a55f60fe37b533e8de16901d03580a8cd12c54744b98382e21fddd440197c1183b829d4bb2fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab456bd2fccf0a3ad5b149f4311ddc5b

SHA1
8d20233b6d4cda30ea8e043050b329a220285adf

SHA256
e63f4d01d9e8866f784742df4c1fb73c70ac561a5eb150f2576d53e89c25baa9

SHA512
d1f402affe8010ce82285ccb721cec0a5db9bec95584a5ddae27890dc9fcdddd47e96e955215eb106b6c916750e1212c2db4e9516baf06583463a6c5b3a1afc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
63941ffa6111b270775b818f5ba3447b

SHA1
50d1b14efa8ac04b6dc61a07d947a5c60044be45

SHA256
2a566adb42e1e34d714cda95a246bbc63c01807d2e00bbefac5a95913de43b12

SHA512
51fbb3beef3bd66caa7e26595d893f328bbd2edf7f5d1a78ae9076fc6d3926abafd7570977b6acdb76c71fa0e8815177ce4525930bbfe02b8dd09c3830b34267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
047e6508e0c3822a50450111be2756fe

SHA1
073db34a65f1c5c13ba925f02ce3cefa34c29c82

SHA256
b9f496a91a864aed2a12477db7a6a78f9180dd47a6f49ef89570fb3bd8a9b8a6

SHA512
2a51e7e9448eefd1da8af2d45ce1ba8cdb71e1323fc3cf0675f1da064530cd3329ecce5c9c3456c834656069f54e5e6cbf55f95beb3270791eefd770159b5fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1db7cc836504f1321c6d236ab1e2af1f

SHA1
99edb11af1e306903150839f2b0986a3259d1c61

SHA256
f6721ba956b59a325726ecdf7be29af5233bbca36cb1d623e25d95c593e62885

SHA512
eb4865e3e5c0da71f24665a540d6891b06f2b952867c7c3fce3df8b66cfc193f6a8c5fd2ff27ab841a7b108ac90087d786b1646583012e163a735587eaee8c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
81eb2562188487a4ddae2c722ca9a5d0

SHA1
5d43db660f6f096c2759df551f2baebd5929bdc8

SHA256
6e99d8fb952bdaf2cad88df52046eca714cad09a51ad5dbdb3f94eb1c0ce7163

SHA512
e7b63ea1873254a96f509b29391e45ec68256615080870b650fb6f9949a9fc481f2ceef81fc89f224b5334c4866f9ee3ecd7e395a8d4ac7a50057c5e319ce3cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b3e04860cb0bfa1b79edaadb71509c2b

SHA1
34e42d68097737f8d158a3884b6d9daecfe9e272

SHA256
099f638ff214c1484982d62cfc1d4120c36ff37bbeff96b676c4b885c6789a6a

SHA512
ce9eea44f045c6362df0dbfc6d6ff45026880b545e2203b64576f5157455ddf6dd03407c521dd74d8daa00e92406dae57dd68bfe5d2714f1698a7a2226b097f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9deecebab4bfdd1e0e917d59c8f0acaa

SHA1
6aa2897533b5a8c3597ccd051f88a48778ebbbeb

SHA256
af30db0cc36ba0d0134e0579d5f9ea6c8dc4606047e6c0d2e89084e388eb5227

SHA512
cb833d700eadacf5f0478143271ab754778d1d1f55c008b235e053754902c50be1a140b9ebec2395e37bdf8b45d8c37bde2dd22029c7bcc97dd81ebe578ae8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\PyQt5\Qt5\bin\MSVCP140.dll

Filesize
576KB

MD5
01b946a2edc5cc166de018dbb754b69c

SHA1
dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46

SHA256
88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5

SHA512
65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\PyQt5\Qt5\bin\MSVCP140_1.dll

Filesize
30KB

MD5
0fe6d52eb94c848fe258dc0ec9ff4c11

SHA1
95cc74c64ab80785f3893d61a73b8a958d24da29

SHA256
446c48c1224c289bd3080087fe15d6759416d64f4136addf30086abd5415d83f

SHA512
c39a134210e314627b0f2072f4ffc9b2ce060d44d3365d11d8c1fe908b3b9403ebdd6f33e67d556bd052338d0ed3d5f16b54d628e8290fd3a155f55d36019a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\PyQt5\Qt5\bin\Qt5Core.dll

Filesize
5.7MB

MD5
817520432a42efa345b2d97f5c24510e

SHA1
fea7b9c61569d7e76af5effd726b7ff6147961e5

SHA256
8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a

SHA512
8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

Filesize
43KB

MD5
6bc084255a5e9eb8df2bcd75b4cd0777

SHA1
cf071ad4e512cd934028f005cabe06384a3954b6

SHA256
1f0f5f2ce671e0f68cf96176721df0e5e6f527c8ca9cfa98aa875b5a3816d460

SHA512
b822538494d13bda947655af791fed4daa811f20c4b63a45246c8f3befa3ec37ff1aa79246c89174fe35d76ffb636fa228afa4bda0bd6d2c41d01228b151fd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\PyQt5\QtCore.pyd

Filesize
2.4MB

MD5
678fa1496ffdea3a530fa146dedcdbcc

SHA1
c80d8f1de8ae06ecf5750c83d879d2dcc2d6a4f8

SHA256
d6e45fd8c3b3f93f52c4d1b6f9e3ee220454a73f80f65f3d70504bd55415ea37

SHA512
8d9e3fa49fb42f844d8df241786ea9c0f55e546d373ff07e8c89aac4f3027c62ec1bd0c9c639afeabc034cc39e424b21da55a1609c9f95397a66d5f0d834e88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\PyQt5\sip.cp312-win_amd64.pyd

Filesize
117KB

MD5
f57134d35976c48ffb955df1739af5d4

SHA1
c1b3a81352e462d4ecc33ee5119b882d657bed2f

SHA256
9e91b237e2aa69c0c7e268f072999bb0319b04513c9fc97ab7c4371e642375d2

SHA512
db385592876f489460023f2d02fc80635fe4f9746ecd99c8c7622399a34ea43ef631d3668429ad4e8f69552a5c386bbf12f3805a9101f7eb70337ce23e65c80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_ctypes.pyd

Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_tkinter.pyd

Filesize
62KB

MD5
1df0201667b4718637318dbcdc74a574

SHA1
fd44a9b3c525beffbca62c6abe4ba581b9233db2

SHA256
70439ee9a05583d1c4575dce3343b2a1884700d9e0264c3ada9701829483a076

SHA512
530431e880f2bc193fae53b6c051bc5f62be08d8ca9294f47f18bb3390dcc0914e8e53d953eee2fcf8e1efbe17d98eb60b3583bccc7e3da5e21ca4dc45adfaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_wmi.pyd

Filesize
35KB

MD5
7ec3fc12c75268972078b1c50c133e9b

SHA1
73f9cf237fe773178a997ad8ec6cd3ac0757c71e

SHA256
1a105311a5ed88a31472b141b4b6daa388a1cd359fe705d9a7a4aba793c5749f

SHA512
441f18e8ce07498bc65575e1ae86c1636e1ceb126af937e2547710131376be7b4cb0792403409a81b5c6d897b239f26ec9f36388069e324249778a052746795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\python3.DLL

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\tcl86t.dll

Filesize
1.7MB

MD5
21dc82dd9cc445f92e0172d961162222

SHA1
73bc20b509e1545b16324480d9620ae25364ebf1

SHA256
c2966941f116fab99f48ab9617196b43a5ee2fd94a8c70761bda56cb334daa03

SHA512
3051a9d723fb7fc11f228e9f27bd2644ac5a0a95e7992d60c757240577b92fc31fa373987b338e6bc5707317d20089df4b48d1b188225ff370ad2a68d5ff7ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\tk86t.dll

Filesize
1.5MB

MD5
9fb68a0252e2b6cd99fd0cb6708c1606

SHA1
60ab372e8473fad0f03801b6719bf5cccfc2592e

SHA256
c6ffe2238134478d8cb1c695d57e794516f3790e211ff519f551e335230de7de

SHA512
f5de1b1a9dc2d71ae27dfaa7b01e079e4970319b6424b44c47f86360faf0b976ed49dab6ee9f811e766a2684b647711e567cbaa6660f53ba82d724441c4ddd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\zlib1.dll

Filesize
143KB

MD5
297e845dd893e549146ae6826101e64f

SHA1
6c52876ea6efb2bc8d630761752df8c0a79542f1

SHA256
837efb838cb91428c8c0dfb65d5af1e69823ff1594780eb8c8e9d78f7c4b2fc1

SHA512
f6efef5e34ba13f1dfddacfea15f385de91d310d73a6894cabb79c2186accc186c80cef7405658d91517c3c10c66e1acb93e8ad2450d4346f1aa85661b6074c3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 74167.crdownload

Filesize
38.5MB

MD5
09aff4b8bfc3c69dab64dc0f148483ae

SHA1
574da5d2171ab25f21d700717573cd995903367f

SHA256
0d680b614c952e7470f297b6188fd76aa25339ebd0934c786d131300f710f9ed

SHA512
48df6d3b4ba0b882337fad09937b063955e9b23b846d07bb535d7d4c7adb53bde2c2759cbe27ac61c0fbdbc3c81f8f2b50cbe217d077d2ef10a546ee278013e1

Download Submit
memory/1680-1419-0x00007FF930530000-0x00007FF93055A000-memory.dmp

Filesize
168KB

Download
memory/1680-1407-0x00007FF921020000-0x00007FF921283000-memory.dmp

Filesize
2.4MB

Download
memory/5720-158-0x0000019B43AD0000-0x0000019B43AE0000-memory.dmp

Filesize
64KB

Download
memory/5720-157-0x0000019B43AD0000-0x0000019B43AE0000-memory.dmp

Filesize
64KB

Download
memory/5720-159-0x0000019B43AD0000-0x0000019B43AE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads