njrat | d9e587852419edeffbc520339081a368afb3aabf2ae4b099cc414f6840867227

Analysis

max time kernel
86s
max time network
86s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-12-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hackus.exe
Size

3.1MB
MD5

6270201830fa89bfe7c9619e66634a8e
SHA1

214e78e347c36744b961ae433412c206c773f7cd
SHA256

d9e587852419edeffbc520339081a368afb3aabf2ae4b099cc414f6840867227
SHA512

42f51c2cecf94fb02c0e48b3c87f1f2c7a8ba1edf559a530f1f6123e479e6cccf9815a058d500e6bab54c91d42a114f76b1d7a695940a430f3d47b87644e14e0
SSDEEP

49152:PlP3G5KT6W0/KJQdqsF5JcJ+l2VbknUOwqKl0:k4T6LEsBlM+lDnUn

Score

10^/10

njrat hacked defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

9cpanel.hackcrack.io:3489

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1196	powershell.exe
3348	powershell.exe
1552	powershell.exe
3104	powershell.exe
4704	powershell.exe
4916	powershell.exe
1256	powershell.exe
1184	powershell.exe
4704	powershell.exe
4916	powershell.exe
1256	powershell.exe
1184	powershell.exe
1196	powershell.exe
3348	powershell.exe
1552	powershell.exe
3104	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4820	netsh.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001d00000002aaef-23.dat	net_reactor
behavioral1/memory/4372-37-0x000001C8292F0000-0x000001C829594000-memory.dmp	net_reactor

Executes dropped EXE 7 IoCs

pid	Process
4272	Setup.exe
1200	Setup.exe
4372	Hackus .exe
5008	svchost.exe
4064	explorer.exe
3712	version.exe
3504	explorer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
1500	cmd.exe
4992	cmd.exe
1128	cmd.exe
640	cmd.exe
4336	cmd.exe
432	cmd.exe
4772	cmd.exe
4032	cmd.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\assembly	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2572	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1660	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	Hackus .exe
Token: SeDebugPrivilege	5008	svchost.exe
Token: SeDebugPrivilege	4064	explorer.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	3504	explorer.exe
Token: 33	3504	explorer.exe
Token: SeIncBasePriorityPrivilege	3504	explorer.exe
Token: 33	3504	explorer.exe
Token: SeIncBasePriorityPrivilege	3504	explorer.exe
Token: 33	3504	explorer.exe
Token: SeIncBasePriorityPrivilege	3504	explorer.exe
Token: 33	3504	explorer.exe
Token: SeIncBasePriorityPrivilege	3504	explorer.exe
Token: 33	3504	explorer.exe
Token: SeIncBasePriorityPrivilege	3504	explorer.exe
Token: 33	3504	explorer.exe
Token: SeIncBasePriorityPrivilege	3504	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
4064	explorer.exe
4064	explorer.exe
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE
1660	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 4272	1104	Hackus.exe	77
PID 1104 wrote to memory of 4272	1104	Hackus.exe	77
PID 1104 wrote to memory of 1200	1104	Hackus.exe	78
PID 1104 wrote to memory of 1200	1104	Hackus.exe	78
PID 1104 wrote to memory of 4372	1104	Hackus.exe	79
PID 1104 wrote to memory of 4372	1104	Hackus.exe	79
PID 1200 wrote to memory of 5008	1200	Setup.exe	81
PID 1200 wrote to memory of 5008	1200	Setup.exe	81
PID 5008 wrote to memory of 4064	5008	svchost.exe	90
PID 5008 wrote to memory of 4064	5008	svchost.exe	90
PID 4064 wrote to memory of 4160	4064	explorer.exe	91
PID 4064 wrote to memory of 4160	4064	explorer.exe	91
PID 3712 wrote to memory of 640	3712	version.exe	94
PID 3712 wrote to memory of 640	3712	version.exe	94
PID 3712 wrote to memory of 4336	3712	version.exe	96
PID 3712 wrote to memory of 4336	3712	version.exe	96
PID 3712 wrote to memory of 432	3712	version.exe	98
PID 3712 wrote to memory of 432	3712	version.exe	98
PID 3712 wrote to memory of 4772	3712	version.exe	99
PID 3712 wrote to memory of 4772	3712	version.exe	99
PID 3712 wrote to memory of 4032	3712	version.exe	102
PID 3712 wrote to memory of 4032	3712	version.exe	102
PID 3712 wrote to memory of 1128	3712	version.exe	103
PID 3712 wrote to memory of 1128	3712	version.exe	103
PID 3712 wrote to memory of 4992	3712	version.exe	104
PID 3712 wrote to memory of 4992	3712	version.exe	104
PID 3712 wrote to memory of 1500	3712	version.exe	105
PID 3712 wrote to memory of 1500	3712	version.exe	105
PID 4336 wrote to memory of 3104	4336	cmd.exe	113
PID 4336 wrote to memory of 3104	4336	cmd.exe	113
PID 4772 wrote to memory of 4704	4772	cmd.exe	114
PID 4772 wrote to memory of 4704	4772	cmd.exe	114
PID 1128 wrote to memory of 4916	1128	cmd.exe	115
PID 1128 wrote to memory of 4916	1128	cmd.exe	115
PID 432 wrote to memory of 1256	432	cmd.exe	116
PID 432 wrote to memory of 1256	432	cmd.exe	116
PID 4032 wrote to memory of 1184	4032	cmd.exe	117
PID 4032 wrote to memory of 1184	4032	cmd.exe	117
PID 4992 wrote to memory of 1196	4992	cmd.exe	118
PID 4992 wrote to memory of 1196	4992	cmd.exe	118
PID 1500 wrote to memory of 3348	1500	cmd.exe	119
PID 1500 wrote to memory of 3348	1500	cmd.exe	119
PID 4064 wrote to memory of 3504	4064	explorer.exe	120
PID 4064 wrote to memory of 3504	4064	explorer.exe	120
PID 3504 wrote to memory of 4820	3504	explorer.exe	127
PID 3504 wrote to memory of 4820	3504	explorer.exe	127
PID 4076 wrote to memory of 1292	4076	msedge.exe	137
PID 4076 wrote to memory of 1292	4076	msedge.exe	137
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138
PID 4076 wrote to memory of 5084	4076	msedge.exe	138

C:\Users\Admin\AppData\Local\Temp\Hackus.exe
"C:\Users\Admin\AppData\Local\Temp\Hackus.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4064
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\tiiitz0i.inf
        5⤵
        
        PID:4160
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4820
- C:\Users\Admin\AppData\Local\Temp\Hackus .exe
  "C:\Users\Admin\AppData\Local\Temp\Hackus .exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2288

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\ResetInvoke.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3348

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4184

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4816

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4416

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2149241
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffafad53cb8,0x7ffafad53cc8,0x7ffafad53cd8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,15550737572634532126,13101077623366466207,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,15550737572634532126,13101077623366466207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,15550737572634532126,13101077623366466207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15550737572634532126,13101077623366466207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15550737572634532126,13101077623366466207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15550737572634532126,13101077623366466207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15550737572634532126,13101077623366466207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:1072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
8909d638e007b4d24fdfcbe44c0caa52

SHA1
51b53cb9cb34aa0b9179bc7ddec7ffaa945ebcd0

SHA256
84a13fa3f4c2dc8020fcf343c3362d995d545ba3895e63d08f6ed7fe430687cb

SHA512
29a4be4ca8dda580707497aa4f662aeb8619fc19801d35099bb08d9e0ecbf0cea981acbc2085c6c6ccb61ac6e12e41038ddbdf0d3a1dd687bf73d0ea682ca99a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
b7a123789a7552de2227c3cdb63c9fc6

SHA1
26a22e7289ba261504770d60183b715055cb6c3a

SHA256
6be9b193df817dc72532d81845116a874108d00628e269e172f8b3850db8f2ed

SHA512
40552148f6da2e5363ee379326cc6397d692ec8f903eafaf90dc3d18f6c5b04a9197d13062cb3e446f1f22e3a086f1c3ea960461b0d80f37d4a97648b55ecb8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
eb09ffd9676c7726481174d174d0fc32

SHA1
5f39d9d44b652c5113e133b111a1938649f0f729

SHA256
ca1476a3115ec786d13cf36d2d0e39ffb0a4028de4527417cf8b70f856e630a8

SHA512
919a6963b149a0e27dabebd6b2958bc0d761f7fb7c7ea1437852bd53abcfa5a0cf95f753b8e7b3a1a388465e4193fcfb8e08fdab89cc4f29e91005d4f8c5e7bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
4aff6712f636e215a00cf2428712aeac

SHA1
d17c1fa0a4f5d624c23fe6d341bbecdd226765e6

SHA256
b7bc05a2acabef4e79573320c41b96031c7caa634133878e1085889beb35884b

SHA512
db22883b030a07a55544c2b546f80e702d9b09465fdb1c5ca2ba05eea3922d9a5d717fb0d6a8381c84fe185058bd342c9fa7fc7253b8fec8077c9a959aa92899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
252d820f60b1a8716c6ecf2a06f4efe1

SHA1
9be2566cf6aaf73ff7679db9cc2a6277b27a5896

SHA256
3b1cc12b59dc1e8a72b957d9b9be782c0cbf2a6fed1305b339e55f4ee38efe91

SHA512
49bc304d7454c112011474fdd557a3693fa7821b831d45fcea0cd2562cf23cad7b3512195054f7d90c7a8149f4c380cc8ab68131e7d5bc37066fbd0e0d580c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

Filesize
676B

MD5
6ce69501f5fc3d86b1afc0db36c79332

SHA1
598dd8d64c8870ea53b94344c5bc72b8a3b68bae

SHA256
4ab4048bb34a5c22aedbf69b5db0e940456ca0428b6a6eb315cd7abd3b02287f

SHA512
ce9563c8d707043de9ddd2e9fcc892ab04093823c0c2c53a2c2137a55d2fcce6df966a7a71e48568ec4a2391b2227f9f8282f240aa66c088dfbdd43d76e01b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b3ed8b23b38ac30ed082d4f194530079

SHA1
9d07d6b3ea576917581037af1a43b5baac4b7452

SHA256
5679fa440da989c9bffb99c2066323f1fc61b1be7172670d03602c03918894cf

SHA512
1dbd0ee4cdf3ef3572a472fe1b1c2517972ad86a938b89c96807d399a4fe733c6121a47e4c1733ef5866a138c6795a9694db012cccc319e0d622b28871759c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
766b2594e8337b0fd54a3492f381e39d

SHA1
94675296d63647f6462a4c1cceb221c7392d0240

SHA256
d758badb8870db0ef9e05962f92591262acda4187d373c3a9216b186c9aa4602

SHA512
9c5cb46d855758d013af64d8a7b87d23c10eb77520dd12ec1a662de61a54d8de8470e93b5c6e68623f1aac7a51c5e26705d3c75164e85e58c36558477609cbcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82436d24fdb16eb14899c209367e34b7

SHA1
4c26610257ba44c7b63790310a7857976096229c

SHA256
4c70392275496b447c2f8a7f1a991421c14795ff6e75417f7024c0dc44e69f4e

SHA512
7ad4cefa581b9057e82237852f8fc1ce74b7350e86ab5d249f31de1a395cdda7cd1058117440164825a02c10dccb1640d72aa665f7dba69f34f309f6e6ce0cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cd41fa916e73be028844e67a2091c02d

SHA1
bdc3728a3e82d2723219e491ae2253e7356dae54

SHA256
2b9409cf710723f76680d76ba6b4e2b83be50b2c117eba6849849f12c51a5b55

SHA512
f33d32f6c925f7353139245ea051a0064a3c5e99611950dc707e01999dc6f228f49ea1ee5822411f7da2aa7068ba748ff8b6581103e5a987c3d8d60186d42a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
86ae3856be1e06481258492e39538736

SHA1
3ae558a0c272f2cd78bb0e55c88b4162d25292d3

SHA256
58b19c795d309eb63305a8ac30d5f6c090ae80140d1f4b072bde902d7d694081

SHA512
ea6d067300ee3e8ebccdcca070f8e52c9e99a952693bb63fc240e93dbacd533ea9e4063e834c4ab156a2a6526a74a06559fdc9f76108d78386e47cf25d358872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
408641808e457ab6e23d62e59b767753

SHA1
4205cfa0dfdfee6be08e8c0041d951dcec1d3946

SHA256
3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

SHA512
e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\18c81e0e-e2fd-4a3a-a661-db3dcb71a8eb.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hackus .exe

Filesize
2.6MB

MD5
b98582a96f3d102a3d45e7ed1111268b

SHA1
b1f4886d90acf2ab70477a043dea8b668a7494bc

SHA256
fb5518b93f5a75c4ddb033a5a1e8189d2e8177c863c8b86c0adbb2de90a928a3

SHA512
51530cbd2a90a0687203132ea5e8a40c7dd0ff3275e1183020ebd60707a360f66106eaf1856716f64d24ff06b0fd2ad1e29f12019e7d68bf00dc9cbe3a7afc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
458KB

MD5
bfa40de5db5a15e0317dd72d982083dc

SHA1
fb93616799e85771a028944148bad57b15d0289b

SHA256
0feeb8481e07c0d5c1973f7a1644b788d56c9616c82ae0ce73505893664804a1

SHA512
cb39b9299485795ea810cb8f36b65bb3b816c37b7edd580bacccfaa8f9c222e0ebe08418ebef28512a2e87fc0ed758d5c6b3c445dfa5900e64d911fded2043c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_glrjnrr4.mrb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiiitz0i.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
334B

MD5
94084f858405a8f5fd09fe34e08bf612

SHA1
4eaca784fcbbd3fb36879a41801b9b63a663d129

SHA256
207bf112c1ba3618266b19b76182f2aba5b22bdfcce5cf32d6e42718217e1da3

SHA512
9c0318e33291a64d5698a14796d16c167b72fed0dce7fd43e395fae6dd1410ebc5ac6b88790cce920ac3ff8cf9fee24b50673609372653551bc7c29b97a96c31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
357KB

MD5
cff755ff758e9e71d0af34017a8e9d8e

SHA1
8d401767360e61261cee79a18e061d9a0dc95724

SHA256
c4b3fdf0d7a1dc296560d0ca1f09ce89f3acbcab445fe5fcf5fe908ed3844be2

SHA512
a752a4ed0229cb7ee5a8b0768254f1acb89b1da876a7594952c75cffdb7b7990a45a335332144ae0ff06e0e0dd5e033a89fa29ed2355e2084bcc249e41a73052

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
84KB

MD5
15ee95bc8e2e65416f2a30cf05ef9c2e

SHA1
107ca99d3414642450dec196febcd787ac8d7596

SHA256
c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

SHA512
ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

Download Submit
memory/1104-3-0x000000001C110000-0x000000001C5DE000-memory.dmp

Filesize
4.8MB

Download
memory/1104-4-0x000000001C680000-0x000000001C71C000-memory.dmp

Filesize
624KB

Download
memory/1104-0-0x00007FFAFF4B5000-0x00007FFAFF4B6000-memory.dmp

Filesize
4KB

Download
memory/1104-6-0x00007FFAFF200000-0x00007FFAFFBA1000-memory.dmp

Filesize
9.6MB

Download
memory/1104-2-0x00007FFAFF200000-0x00007FFAFFBA1000-memory.dmp

Filesize
9.6MB

Download
memory/1104-1-0x000000001BB70000-0x000000001BC16000-memory.dmp

Filesize
664KB

Download
memory/1104-35-0x00007FFAFF200000-0x00007FFAFFBA1000-memory.dmp

Filesize
9.6MB

Download
memory/1200-62-0x00007FFAFF200000-0x00007FFAFFBA1000-memory.dmp

Filesize
9.6MB

Download
memory/1200-48-0x00007FFAFF200000-0x00007FFAFFBA1000-memory.dmp

Filesize
9.6MB

Download
memory/1200-32-0x0000000000ED0000-0x0000000000EFC000-memory.dmp

Filesize
176KB

Download
memory/1552-121-0x00000209D0260000-0x00000209D0282000-memory.dmp

Filesize
136KB

Download
memory/1660-233-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/1660-70-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/1660-231-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/1660-69-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/1660-230-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/1660-232-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/1660-75-0x00007FFADD8A0000-0x00007FFADD8B0000-memory.dmp

Filesize
64KB

Download
memory/1660-74-0x00007FFADD8A0000-0x00007FFADD8B0000-memory.dmp

Filesize
64KB

Download
memory/1660-73-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/1660-72-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/1660-71-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/4064-114-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/4064-111-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/4272-47-0x00007FFAFF200000-0x00007FFAFFBA1000-memory.dmp

Filesize
9.6MB

Download
memory/4272-40-0x00007FFAFF200000-0x00007FFAFFBA1000-memory.dmp

Filesize
9.6MB

Download
memory/4272-38-0x00007FFAFF200000-0x00007FFAFFBA1000-memory.dmp

Filesize
9.6MB

Download
memory/4272-36-0x00007FFAFF200000-0x00007FFAFFBA1000-memory.dmp

Filesize
9.6MB

Download
memory/4372-37-0x000001C8292F0000-0x000001C829594000-memory.dmp

Filesize
2.6MB

Download
memory/5008-61-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download