02a802ac33889f32fa8792832883bc8f3e2da2fdbede78626127f8afe3b5e4a2

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Synapse.Z.exe
Size

712.0MB
MD5

e7bda1f1b3150e1436adfa87bbe25307
SHA1

d5056028f468c1cf95d8aa38b1522c67c99ca97b
SHA256

02a802ac33889f32fa8792832883bc8f3e2da2fdbede78626127f8afe3b5e4a2
SHA512

b51a01700c71df2b5333696154105300ce5cce4f1ac5b3ff6c8112e2b866915e4e1b4cbdaf590910b577890088a5ab699bc77ad475823a1da1760ee915393ea1
SSDEEP

98304:ahSi8x9XQsD91urErvz81LpWjjUa50ZtPvYRt2e4GFNGjfzfbIbApJo4EAKhOC1I:aIP9VD3urErvI9pWjgfPvzm6gsFE14AI

Score

8^/10

discovery execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1332	powershell.exe
748	powershell.exe

Loads dropped DLL 17 IoCs

pid	Process
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe
3120	Synapse.Z.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
760	tasklist.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023428-21.dat	upx
behavioral2/memory/3120-25-0x00007FFAF6E40000-0x00007FFAF7432000-memory.dmp	upx
behavioral2/files/0x000700000002341b-28.dat	upx
behavioral2/files/0x0007000000023426-30.dat	upx
behavioral2/memory/3120-29-0x00007FFB0A130000-0x00007FFB0A154000-memory.dmp	upx
behavioral2/files/0x0007000000023425-34.dat	upx
behavioral2/files/0x0007000000023422-48.dat	upx
behavioral2/files/0x0007000000023421-47.dat	upx
behavioral2/files/0x0007000000023420-46.dat	upx
behavioral2/files/0x000700000002341f-45.dat	upx
behavioral2/files/0x000700000002341e-44.dat	upx
behavioral2/files/0x000700000002341d-43.dat	upx
behavioral2/files/0x000700000002341c-42.dat	upx
behavioral2/files/0x000700000002341a-41.dat	upx
behavioral2/files/0x000700000002342d-40.dat	upx
behavioral2/files/0x000700000002342c-39.dat	upx
behavioral2/files/0x000700000002342b-38.dat	upx
behavioral2/files/0x0007000000023427-35.dat	upx
behavioral2/memory/3120-32-0x00007FFB068E0000-0x00007FFB068EF000-memory.dmp	upx
behavioral2/memory/3120-54-0x00007FFB067D0000-0x00007FFB067FD000-memory.dmp	upx
behavioral2/memory/3120-56-0x00007FFB068C0000-0x00007FFB068D9000-memory.dmp	upx
behavioral2/memory/3120-58-0x00007FFB065F0000-0x00007FFB06613000-memory.dmp	upx
behavioral2/memory/3120-60-0x00007FFB05F60000-0x00007FFB060DE000-memory.dmp	upx
behavioral2/memory/3120-62-0x00007FFB067B0000-0x00007FFB067C9000-memory.dmp	upx
behavioral2/memory/3120-64-0x00007FFB06760000-0x00007FFB0676D000-memory.dmp	upx
behavioral2/memory/3120-67-0x00007FFB065B0000-0x00007FFB065E3000-memory.dmp	upx
behavioral2/memory/3120-71-0x00007FFB028A0000-0x00007FFB0296D000-memory.dmp	upx
behavioral2/memory/3120-70-0x00007FFAF6E40000-0x00007FFAF7432000-memory.dmp	upx
behavioral2/memory/3120-74-0x00007FFB0A130000-0x00007FFB0A154000-memory.dmp	upx
behavioral2/memory/3120-73-0x00007FFAF6910000-0x00007FFAF6E39000-memory.dmp	upx
behavioral2/memory/3120-79-0x00007FFB06750000-0x00007FFB0675D000-memory.dmp	upx
behavioral2/memory/3120-78-0x00007FFB06590000-0x00007FFB065A4000-memory.dmp	upx
behavioral2/memory/3120-77-0x00007FFB068E0000-0x00007FFB068EF000-memory.dmp	upx
behavioral2/memory/3120-81-0x00007FFAF67F0000-0x00007FFAF690C000-memory.dmp	upx
behavioral2/memory/3120-83-0x00007FFB05F60000-0x00007FFB060DE000-memory.dmp	upx
behavioral2/memory/3120-82-0x00007FFB065F0000-0x00007FFB06613000-memory.dmp	upx
behavioral2/memory/3120-96-0x00007FFB067B0000-0x00007FFB067C9000-memory.dmp	upx
behavioral2/memory/3120-128-0x00007FFAF67F0000-0x00007FFAF690C000-memory.dmp	upx
behavioral2/memory/3120-138-0x00007FFB065B0000-0x00007FFB065E3000-memory.dmp	upx
behavioral2/memory/3120-140-0x00007FFB06590000-0x00007FFB065A4000-memory.dmp	upx
behavioral2/memory/3120-139-0x00007FFAF6E40000-0x00007FFAF7432000-memory.dmp	upx
behavioral2/memory/3120-137-0x00007FFB06760000-0x00007FFB0676D000-memory.dmp	upx
behavioral2/memory/3120-136-0x00007FFB067B0000-0x00007FFB067C9000-memory.dmp	upx
behavioral2/memory/3120-135-0x00007FFB028A0000-0x00007FFB0296D000-memory.dmp	upx
behavioral2/memory/3120-134-0x00007FFB065F0000-0x00007FFB06613000-memory.dmp	upx
behavioral2/memory/3120-133-0x00007FFB068C0000-0x00007FFB068D9000-memory.dmp	upx
behavioral2/memory/3120-132-0x00007FFB067D0000-0x00007FFB067FD000-memory.dmp	upx
behavioral2/memory/3120-131-0x00007FFB068E0000-0x00007FFB068EF000-memory.dmp	upx
behavioral2/memory/3120-130-0x00007FFB0A130000-0x00007FFB0A154000-memory.dmp	upx
behavioral2/memory/3120-129-0x00007FFB06750000-0x00007FFB0675D000-memory.dmp	upx
behavioral2/memory/3120-125-0x00007FFAF6910000-0x00007FFAF6E39000-memory.dmp	upx
behavioral2/memory/3120-120-0x00007FFB05F60000-0x00007FFB060DE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1332	powershell.exe
748	powershell.exe
748	powershell.exe
1332	powershell.exe
3052	msedge.exe
3052	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
1596	identity_helper.exe
1596	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	760	tasklist.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeIncreaseQuotaPrivilege	3784	WMIC.exe
Token: SeSecurityPrivilege	3784	WMIC.exe
Token: SeTakeOwnershipPrivilege	3784	WMIC.exe
Token: SeLoadDriverPrivilege	3784	WMIC.exe
Token: SeSystemProfilePrivilege	3784	WMIC.exe
Token: SeSystemtimePrivilege	3784	WMIC.exe
Token: SeProfSingleProcessPrivilege	3784	WMIC.exe
Token: SeIncBasePriorityPrivilege	3784	WMIC.exe
Token: SeCreatePagefilePrivilege	3784	WMIC.exe
Token: SeBackupPrivilege	3784	WMIC.exe
Token: SeRestorePrivilege	3784	WMIC.exe
Token: SeShutdownPrivilege	3784	WMIC.exe
Token: SeDebugPrivilege	3784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3784	WMIC.exe
Token: SeRemoteShutdownPrivilege	3784	WMIC.exe
Token: SeUndockPrivilege	3784	WMIC.exe
Token: SeManageVolumePrivilege	3784	WMIC.exe
Token: 33	3784	WMIC.exe
Token: 34	3784	WMIC.exe
Token: 35	3784	WMIC.exe
Token: 36	3784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3784	WMIC.exe
Token: SeSecurityPrivilege	3784	WMIC.exe
Token: SeTakeOwnershipPrivilege	3784	WMIC.exe
Token: SeLoadDriverPrivilege	3784	WMIC.exe
Token: SeSystemProfilePrivilege	3784	WMIC.exe
Token: SeSystemtimePrivilege	3784	WMIC.exe
Token: SeProfSingleProcessPrivilege	3784	WMIC.exe
Token: SeIncBasePriorityPrivilege	3784	WMIC.exe
Token: SeCreatePagefilePrivilege	3784	WMIC.exe
Token: SeBackupPrivilege	3784	WMIC.exe
Token: SeRestorePrivilege	3784	WMIC.exe
Token: SeShutdownPrivilege	3784	WMIC.exe
Token: SeDebugPrivilege	3784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3784	WMIC.exe
Token: SeRemoteShutdownPrivilege	3784	WMIC.exe
Token: SeUndockPrivilege	3784	WMIC.exe
Token: SeManageVolumePrivilege	3784	WMIC.exe
Token: 33	3784	WMIC.exe
Token: 34	3784	WMIC.exe
Token: 35	3784	WMIC.exe
Token: 36	3784	WMIC.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4124	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3120	4952	Synapse.Z.exe	82
PID 4952 wrote to memory of 3120	4952	Synapse.Z.exe	82
PID 3120 wrote to memory of 1788	3120	Synapse.Z.exe	83
PID 3120 wrote to memory of 1788	3120	Synapse.Z.exe	83
PID 3120 wrote to memory of 1244	3120	Synapse.Z.exe	84
PID 3120 wrote to memory of 1244	3120	Synapse.Z.exe	84
PID 3120 wrote to memory of 1932	3120	Synapse.Z.exe	85
PID 3120 wrote to memory of 1932	3120	Synapse.Z.exe	85
PID 3120 wrote to memory of 4064	3120	Synapse.Z.exe	88
PID 3120 wrote to memory of 4064	3120	Synapse.Z.exe	88
PID 1244 wrote to memory of 1332	1244	cmd.exe	91
PID 1244 wrote to memory of 1332	1244	cmd.exe	91
PID 1932 wrote to memory of 2752	1932	cmd.exe	93
PID 1932 wrote to memory of 2752	1932	cmd.exe	93
PID 4064 wrote to memory of 760	4064	cmd.exe	92
PID 4064 wrote to memory of 760	4064	cmd.exe	92
PID 1788 wrote to memory of 748	1788	cmd.exe	94
PID 1788 wrote to memory of 748	1788	cmd.exe	94
PID 3120 wrote to memory of 968	3120	Synapse.Z.exe	96
PID 3120 wrote to memory of 968	3120	Synapse.Z.exe	96
PID 968 wrote to memory of 3784	968	cmd.exe	98
PID 968 wrote to memory of 3784	968	cmd.exe	98
PID 3676 wrote to memory of 2116	3676	msedge.exe	109
PID 3676 wrote to memory of 2116	3676	msedge.exe	109
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110
PID 3676 wrote to memory of 1824	3676	msedge.exe	110

C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe
  "C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Synapse.Z.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Incompatible Windows Version. This software is intended for (Windows 11 Server). If you feel that this is a mistake please contact Microsoft Support.', 0, 'Error Invalid Windows Version', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Incompatible Windows Version. This software is intended for (Windows 11 Server). If you feel that this is a mistake please contact Microsoft Support.', 0, 'Error Invalid Windows Version', 0+16);close()"
      4⤵
      PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaf67b46f8,0x7ffaf67b4708,0x7ffaf67b4718
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7050604094585802479,8623289840360901655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:2288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:808

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8 0x474
1⤵
PID:3828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3975055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
12f07594d8fe385183c420ac6a1bbf1c

SHA1
db14200eb119d11f12bfc0369f2cfbb68a680af7

SHA256
cdba4a388fb66e17f46b4d14ed0af2edcebe5ed8759349420a41a92e919f7e63

SHA512
100f28c5d32bede8ec9947e8605531b41d2b627ce05656230270a2e23df3abc65945681b07e1fce87ea7e255ccb985921928c9677527d9cc412868237673babe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
f3a751dd13ee76f1d46bff53b5bb36de

SHA1
9b777884fef5eb8da9c6d5ad30782b13d63e0ce0

SHA256
4149724dfc0311bbf4eca129a436450cb4ab2333aade765ff28d7b3275cd5dc3

SHA512
a9b686e7d9b1b0ed79659387dab7b2572e7658cc56a42a70ff56153fe093caf1ba313c5e21354b58dad17f52c3848e5b73d5c068975d2bc001a05248a1d846a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
b751e6d615042709a44ff7a0bd7b812b

SHA1
6062382d2a519a07808f5b5a2246be1ab07536be

SHA256
06cfcdaa5ab9dcb69d5e4b2add6e2b6a0e37343bc6fca4e916c5d92c8d3122d5

SHA512
69e81224d317de7e9e76e355176db936673604088c859937ca0fe4fba962c59f4c15998f07370b300846ce7131b2a33685cf5f968fffac40114c59b643e8f366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f9b3fa98df5dcabafec537a35ddd12cd

SHA1
de80b93d91cd3547a69ea636bc670c0a0fa7df7b

SHA256
727453f7cbba1597d689d6e2b751b03149039785e472aad9377ffc54af538ef1

SHA512
77bc565114f895e1812a5dca7d8678a4f9746aa698bc61d9e2f15e5c08f78a2bc1834b85c4276d61c6e22915284ab3736d37d565d58a90ebd573a9823d2858f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
90f8d56cb0457c32229ae1d667f3ce22

SHA1
5ed68d0f940edfffa308d16bc76362c7169d6062

SHA256
2b66d7abc11322365f8d7e8020cb1aa4b917b6136a06fee2b220ecaa5dcabb5b

SHA512
8008f6f215f699353737e56793ce639ac705a8dcca593991b12bf4b190b7a5418817cc507b9474b3667abcddaef1f66b6524139b7f7c84946183e87210fd393b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9fe7818ff69b7b35f1ee7757e2a2c9cc

SHA1
4f507b5090d55945452c99bd20124cebf27c5bdf

SHA256
2160a4cb621e51e856f09a63ecae86a37787a4663a6139dfcc8cd4ff73eda06e

SHA512
9180a943ee78456269b90a575a04d126a231db1c6532d44423086f2c147f8ac0fb053903b08ea241f93e01b845172789a5a2005bdc011b7d699c6aef2de1aa09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
979744ce0f810e60d01c22be53b89228

SHA1
a8ff8d654adcbf871e70f590d21228e36060b815

SHA256
da5e68b5fec3f862db7c0714cf26984a8112fc3c74c16efe0a7613e9cf1ac571

SHA512
7b4c46ea60747c19706d45e7bbfab7d3ca6c06a2cffa5d472865f5d4b5cf4b916981d87663e0db92964cd72847d96282e5f0a0e7e9b93bb0e338ecf5e8d0c59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
390c02f318f9aaf07a8fba7e43aa5cb1

SHA1
8b300b9cb2f4f20e15e64de2fed4c8ae4c489924

SHA256
884a0ba4b64dc41cb7f7f8dbe5f862a22aec6f3d29a3269443ab74709091623c

SHA512
05a0e6c642dae895b58f754447c615931c65de4635d4825ef112009e0512b056ef41d966ce906832fb3e8f4588001d013324fa577da25c01fa1872adeda39d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6956b87aafe84580d8a88a9f531aaafa

SHA1
d996d2ad3bb691a539e236176e560c73a56d53a2

SHA256
fad573522baad40c7ddbe92c4ea7f91a3daf5dd39b6dcc96065c3fe41694b525

SHA512
2309fa1b95e6ebeb0c636c6e0e5dcd4d5ee54bf9d1d1098a4d23afab1394bf56390741517b211d6fae4627514a83f4e9954d241917cc57a246add4f690bb6230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
681ec87f991df07fe626e4b057515026

SHA1
f8d75dfed79472e96b29f11326c976343802a6bd

SHA256
2ce3d39fe0dc5a6f162150e3428604f1be55e5ca561ed6b54675d3a3e5f4c6f1

SHA512
539c8b23b3b5318bfcf06f7bd14de6d1c72716049efacf3c6fc915a284832f015e4134547c2666c3ec1186ca43ff57ab9d3c8a5b35d511d100f69b63e359fec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe651931.TMP

Filesize
705B

MD5
f550f4d187662481d4d683ee81ea4d5d

SHA1
54fc6337d1d026e29aa5a34962bc862d15804f09

SHA256
21377b42f43ecd596315639a6187859bb34b18d8cef1e97654e0b8e9dd9bded4

SHA512
5cfad0d31332d85fde6f3cc9d8b936f5cb9eab79e9e8e32cc6b5112f26fa177e5f27619a179e4d769ca8bc2d8e00d836bf1e3ff0cb8cb75d0323d970cf75c720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
49b1bdef3a107ead5d27e6a45a901077

SHA1
7ef14394b433b7b4a8280c23f6fa6e108ad6feed

SHA256
4d74a7c602d9f10990f161916b4865dae7847b05e3387d7240d8ed6fa517b28b

SHA512
6f8f9d5481523ab4d363c555053d609566ba5a66542b5568b444256913d10d07b6ee70c7fa973693469460d6c9655ab6c16b377677827eeaff1f7c805ae23455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
baa9aa78bcca91e3331e229d47163902

SHA1
aaf10a2bce375fe66f8245fe8830e2db195fada7

SHA256
a282d95d2781cc6b9d3415099bed982929cdced8678648ba01cf6a8d4cee68e0

SHA512
b0fb33a9bbcb2ca6e74d8076d93e8656e66edc950584b6dcf87ea96ebc0dfffc60372b16f61e754399ad38dd3b567915daa8a3a3ba7f8debfa1e5c708812f8c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\_bz2.pyd

Filesize
48KB

MD5
3bd0dd2ed98fca486ec23c42a12978a8

SHA1
63df559f4f1a96eb84028dc06eaeb0ef43551acd

SHA256
6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07

SHA512
9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\_ctypes.pyd

Filesize
58KB

MD5
343e1a85da03e0f80137719d48babc0f

SHA1
0702ba134b21881737585f40a5ddc9be788bab52

SHA256
7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664

SHA512
1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\_decimal.pyd

Filesize
107KB

MD5
8b623d42698bf8a7602243b4be1f775d

SHA1
f9116f4786b5687a03c75d960150726843e1bc25

SHA256
7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c

SHA512
aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\_hashlib.pyd

Filesize
35KB

MD5
d71df4f6e94bea5e57c267395ad2a172

SHA1
5c82bca6f2ce00c80e6fe885a651b404052ac7d0

SHA256
8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2

SHA512
e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\_lzma.pyd

Filesize
86KB

MD5
932147ac29c593eb9e5244b67cf389bb

SHA1
3584ff40ab9aac1e557a6a6009d10f6835052cde

SHA256
bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3

SHA512
6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\_queue.pyd

Filesize
25KB

MD5
0e5997263833ce8ce8a6a0ec35982a37

SHA1
96372353f71aaa56b32030bb5f5dd5c29b854d50

SHA256
0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e

SHA512
a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\_socket.pyd

Filesize
43KB

MD5
2957b2d82521ed0198851d12ed567746

SHA1
ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2

SHA256
1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2

SHA512
b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\_sqlite3.pyd

Filesize
56KB

MD5
a9d2c3cf00431d2b8c8432e8fb1feefd

SHA1
1c3e2fe22e10e1e9c320c1e6f567850fd22c710c

SHA256
aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3

SHA512
1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\_ssl.pyd

Filesize
65KB

MD5
e5f6bff7a8c2cd5cb89f40376dad6797

SHA1
b854fd43b46a4e3390d5f9610004010e273d7f5f

SHA256
0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5

SHA512
5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\blank.aes

Filesize
126KB

MD5
c4f53c4fac66e2909ca7cabca42871bb

SHA1
e38143b9faf8ee7b0bb1d1440bf5f9ca4d098ae7

SHA256
3dae824fc0a4baa9814a30a4c0dfe5e27c0b8d253b1f15f7057b98f1512807e9

SHA512
a089c0f59aa67b849c30b0bf6ba57cdf107c635972b8573a5ae4e7704bfc48a5f8137c7f36c757591e29af1b3065023ba0981c8f7d4f0c99b2b19a337228d2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\blank.aes

Filesize
126KB

MD5
cce2e41d05e921d9eb2cfe24ad3212a3

SHA1
c0915c0b59f9ea18cccdb624928871d135d078f6

SHA256
056843b734069316562c2b13734d118d517987bcbfa9014999fb95111ca8883b

SHA512
c72e24ef10e9f548de6f159dd372f8342bfceb288ac0d428845ca46ade86ece41cbe27db37689ab700c5303f0421940d5391434c7e6217e7c0b7f00671d003f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\python311.dll

Filesize
1.6MB

MD5
ccdbd8027f165575a66245f8e9d140de

SHA1
d91786422ce1f1ad35c528d1c4cd28b753a81550

SHA256
503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971

SHA512
870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\select.pyd

Filesize
25KB

MD5
e021cf8d94cc009ff79981f3472765e7

SHA1
c43d040b0e84668f3ae86acc5bd0df61be2b5374

SHA256
ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e

SHA512
c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\sqlite3.dll

Filesize
644KB

MD5
74b347668b4853771feb47c24e7ec99b

SHA1
21bd9ca6032f0739914429c1db3777808e4806b0

SHA256
5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e

SHA512
463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49522\unicodedata.pyd

Filesize
295KB

MD5
bc28491251d94984c8555ed959544c11

SHA1
964336b8c045bf8bb1f4d12de122cfc764df6a46

SHA256
f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4

SHA512
042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1pej3n1.x2z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1332-113-0x00007FFAF5D20000-0x00007FFAF67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1332-84-0x00007FFAF5D23000-0x00007FFAF5D25000-memory.dmp

Filesize
8KB

Download
memory/1332-102-0x00007FFAF5D20000-0x00007FFAF67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1332-90-0x000001F4CD570000-0x000001F4CD592000-memory.dmp

Filesize
136KB

Download
memory/1332-95-0x00007FFAF5D20000-0x00007FFAF67E1000-memory.dmp

Filesize
10.8MB

Download
memory/3120-83-0x00007FFB05F60000-0x00007FFB060DE000-memory.dmp

Filesize
1.5MB

Download
memory/3120-96-0x00007FFB067B0000-0x00007FFB067C9000-memory.dmp

Filesize
100KB

Download
memory/3120-82-0x00007FFB065F0000-0x00007FFB06613000-memory.dmp

Filesize
140KB

Download
memory/3120-81-0x00007FFAF67F0000-0x00007FFAF690C000-memory.dmp

Filesize
1.1MB

Download
memory/3120-128-0x00007FFAF67F0000-0x00007FFAF690C000-memory.dmp

Filesize
1.1MB

Download
memory/3120-138-0x00007FFB065B0000-0x00007FFB065E3000-memory.dmp

Filesize
204KB

Download
memory/3120-140-0x00007FFB06590000-0x00007FFB065A4000-memory.dmp

Filesize
80KB

Download
memory/3120-139-0x00007FFAF6E40000-0x00007FFAF7432000-memory.dmp

Filesize
5.9MB

Download
memory/3120-137-0x00007FFB06760000-0x00007FFB0676D000-memory.dmp

Filesize
52KB

Download
memory/3120-136-0x00007FFB067B0000-0x00007FFB067C9000-memory.dmp

Filesize
100KB

Download
memory/3120-135-0x00007FFB028A0000-0x00007FFB0296D000-memory.dmp

Filesize
820KB

Download
memory/3120-134-0x00007FFB065F0000-0x00007FFB06613000-memory.dmp

Filesize
140KB

Download
memory/3120-133-0x00007FFB068C0000-0x00007FFB068D9000-memory.dmp

Filesize
100KB

Download
memory/3120-132-0x00007FFB067D0000-0x00007FFB067FD000-memory.dmp

Filesize
180KB

Download
memory/3120-131-0x00007FFB068E0000-0x00007FFB068EF000-memory.dmp

Filesize
60KB

Download
memory/3120-130-0x00007FFB0A130000-0x00007FFB0A154000-memory.dmp

Filesize
144KB

Download
memory/3120-129-0x00007FFB06750000-0x00007FFB0675D000-memory.dmp

Filesize
52KB

Download
memory/3120-125-0x00007FFAF6910000-0x00007FFAF6E39000-memory.dmp

Filesize
5.2MB

Download
memory/3120-120-0x00007FFB05F60000-0x00007FFB060DE000-memory.dmp

Filesize
1.5MB

Download
memory/3120-77-0x00007FFB068E0000-0x00007FFB068EF000-memory.dmp

Filesize
60KB

Download
memory/3120-78-0x00007FFB06590000-0x00007FFB065A4000-memory.dmp

Filesize
80KB

Download
memory/3120-79-0x00007FFB06750000-0x00007FFB0675D000-memory.dmp

Filesize
52KB

Download
memory/3120-73-0x00007FFAF6910000-0x00007FFAF6E39000-memory.dmp

Filesize
5.2MB

Download
memory/3120-74-0x00007FFB0A130000-0x00007FFB0A154000-memory.dmp

Filesize
144KB

Download
memory/3120-72-0x0000015CE1A40000-0x0000015CE1F69000-memory.dmp

Filesize
5.2MB

Download
memory/3120-70-0x00007FFAF6E40000-0x00007FFAF7432000-memory.dmp

Filesize
5.9MB

Download
memory/3120-71-0x00007FFB028A0000-0x00007FFB0296D000-memory.dmp

Filesize
820KB

Download
memory/3120-67-0x00007FFB065B0000-0x00007FFB065E3000-memory.dmp

Filesize
204KB

Download
memory/3120-64-0x00007FFB06760000-0x00007FFB0676D000-memory.dmp

Filesize
52KB

Download
memory/3120-62-0x00007FFB067B0000-0x00007FFB067C9000-memory.dmp

Filesize
100KB

Download
memory/3120-60-0x00007FFB05F60000-0x00007FFB060DE000-memory.dmp

Filesize
1.5MB

Download
memory/3120-58-0x00007FFB065F0000-0x00007FFB06613000-memory.dmp

Filesize
140KB

Download
memory/3120-56-0x00007FFB068C0000-0x00007FFB068D9000-memory.dmp

Filesize
100KB

Download
memory/3120-54-0x00007FFB067D0000-0x00007FFB067FD000-memory.dmp

Filesize
180KB

Download
memory/3120-32-0x00007FFB068E0000-0x00007FFB068EF000-memory.dmp

Filesize
60KB

Download
memory/3120-29-0x00007FFB0A130000-0x00007FFB0A154000-memory.dmp

Filesize
144KB

Download
memory/3120-25-0x00007FFAF6E40000-0x00007FFAF7432000-memory.dmp

Filesize
5.9MB

Download