a9614c6564109168c11a853f00a2073803c8a26af2effa33b861d80f78121e54

Resubmissions

16/12/2024, 20:02

241216-yskezaznap 10

16/12/2024, 20:00

16/12/2024, 19:57

16/12/2024, 19:52

16/12/2024, 19:49

Analysis

max time kernel
142s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16/12/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sample
Size

258KB
MD5

37698ffffe211da5c8b3f97ec1f36bae
SHA1

83f5b50f58b8c0a1451e8ba9f119b526abae76df
SHA256

a9614c6564109168c11a853f00a2073803c8a26af2effa33b861d80f78121e54
SHA512

368e0ee6d90d1f1746c23a520520a658964a7d289f846f2ed94772f28bb7331af763dc99fc7a8395c4a19314b35fbe9c5aa9e765cf7092e59cbd8f48f8ee3134
SSDEEP

6144:giaRHpOL/saqkPV9FemLtcIDSsmwj9OvZJT3CqbMrhryf65NRPaCieMjAkvCJv1/:laRHpOL/saqkPV9FemLtcIDSsmwj9OvY

Score

10^/10

agilenet bootkit defense_evasion discovery evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2440	MrsMajor3.0.exe
4952	eulascr.exe
1140	GoldenEye.exe
4940	cipher.exe

Loads dropped DLL 1 IoCs

pid	Process
4952	eulascr.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x000400000000f45c-629.dat	agile_net
behavioral1/memory/4952-631-0x0000000000610000-0x000000000063A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
76	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cipher.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{e65d08da-c54d-4040-9f39-4de6cf814dd3}\cipher.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{e65d08da-c54d-4040-9f39-4de6cf814dd3}\cipher.exe\:Zone.Identifier:$DATA	GoldenEye.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 283419.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 722397.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2668	msedge.exe
2668	msedge.exe
5048	msedge.exe
5048	msedge.exe
2036	identity_helper.exe
2036	identity_helper.exe
1124	msedge.exe
1124	msedge.exe
1704	msedge.exe
1704	msedge.exe
4700	msedge.exe
4700	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4940	cipher.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2440	MrsMajor3.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3840	5048	msedge.exe	81
PID 5048 wrote to memory of 3840	5048	msedge.exe	81
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 552	5048	msedge.exe	82
PID 5048 wrote to memory of 2668	5048	msedge.exe	83
PID 5048 wrote to memory of 2668	5048	msedge.exe	83
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84
PID 5048 wrote to memory of 4932	5048	msedge.exe	84

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sample
1⤵
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa039d3cb8,0x7ffa039d3cc8,0x7ffa039d3cd8
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6760 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Users\Admin\Downloads\MrsMajor3.0.exe
  "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2440
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4AAB.tmp\4AAC.tmp\4AAD.vbs //Nologo
    3⤵
    - UAC bypass
    - System policy modification
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\4AAB.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\4AAB.tmp\eulascr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,17889416920591186977,6295915956551414431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7016 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4700
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:1140
- - C:\Users\Admin\AppData\Roaming\{e65d08da-c54d-4040-9f39-4de6cf814dd3}\cipher.exe
    "C:\Users\Admin\AppData\Roaming\{e65d08da-c54d-4040-9f39-4de6cf814dd3}\cipher.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d083584f292f4b1b2ee35e0e0f60cd6b

SHA1
f7ebf81678bda53e22ef99a619291cfc2c37cae8

SHA256
219d2316a353056b91ffcc1c388fb2c0d2af2c2a5f9319fe1e9de10261843810

SHA512
e0539b61961733c492f480d4babd00bcb4ba529b90eb88662cc3b1a3b4671d1a48be22872ab4822f3d084fad2b23120fb5834cceff8eb5ad14208a7a142eb1cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0f0780b92cdc230d2548bd7b32c02a8e

SHA1
e6cd09018edd8e2bf2f0e788a74aa03a0f468134

SHA256
be0bfbbd6f614bb485f48eaa50f8b8b0242efa97fe1436d3376c93812c7cc237

SHA512
9c1925dc4e9cb0d2714e8a0f5b4d4990e65ff853e825417a330e40fbd95ed2b42da900482842d83c1ef990e3fc9ec6de6a5de9042dcbcabda345e6aa91602a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
49adfab7a6dd096a370c1251b8b09b01

SHA1
55c2140ee195a6bfc4d7071fb8e756ac72cc2792

SHA256
2e2b3a2733233c7f27e5ce711428b860cd1ecc6b16330c2c9d3ce6353118462e

SHA512
fd8f3f5fa8066231e24f42a749d4a1f4325c61ff85e665106d6e8a2fe85fe3b1b72add2e7fcd9f83edc5914469bf2b6e911dfa91c59ecad9ba76d53601fc4c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e5d09798ba2db670dfb083401bc26edd

SHA1
a7689061a408cb198c4858541e619dc1e181f2bb

SHA256
51c7b32bbd9e914974fc725a7f24eed4f933bb6966c1d0a4b84b0da7f212e34d

SHA512
eb0fa55a5fa51073fcbd30c4b1647c55f76aaeae79809967302d05422a5b5efaf6ef0e37dc001a7b256c98f7f7826ed64b97240dbc690793e2f08ce738600da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3a77c93169525de1458b1517b126cc5

SHA1
95af1c842083b10050b402f78acc66427cd6d796

SHA256
b351cf1e93c2f250ee90abf15c2b83067895b43d021f317679abff65dbc2a593

SHA512
c249a990f4a05fc3906dcd91f2aa9bfcf34a3bc59696c94efbb831f4e3d8242047e0e76757903c0fde4bfb24d8e35c4240ad4b21c543ecfde7b981268c1169b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b28ee58be3bb8cec29cf38f897afd75

SHA1
796912f9c2438299ddeb766554d6721f0fc42fb2

SHA256
af82e1e6df379ff217c33427adf498da878828ec412da5c5d3db0fc6c427ae6d

SHA512
3a9f3d5d7cd43bcf60b609301df0d7fa29b9312af5f06cb2b4c40f7ed1519cd8d51f43167ab45a04a6e891afd3f875682e8f20b6d26218d2ce3b3929491bf092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8d0ba6058e70ff13634b00b7a5668f1a

SHA1
9f8eeccce4dd5b521c8812394ab23e29d4241b9d

SHA256
0ee78f6e498f8fc13052280b1814d6d00e57de0875a59185de9c9e4a791492fb

SHA512
8c86b01f86390eb63113dabd07ac33c5cca4dee06cc31db8ef69358a8c0b9aac205033d743dbed9f2d03272787abbf6fe85edf8edd98f1b652b6af69776f7a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1e60ee711ad276bdf71814ea8b57a6b6

SHA1
ad6212812f705a919b1b16790f623a31b73f6b13

SHA256
4d406e97071de613227415a8ca98eb55a24c30442de5899d6bedd7af8ce5b37c

SHA512
80056030ab48e344b108f2e26767df81712c13b2332f6f82ff14d18847325c1da8a2f6c5b4571d565c25568021188d37369bbd874be72b439e1dcf2d4c559579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
46e789c9a82a7c4fb14f0709ffb2f117

SHA1
5144104c05a7f3ab3459ad0c05eee23c87675345

SHA256
41132e7817013eaf45962c9bb793a7b27db80d2a5fc3e5d33aa881472b6f6aff

SHA512
e06a1b2a966e0de17b2bf19cc31532220cda5abdf2a5d39ce3d389318c750dd5f81164e7e8576010ea259a8989c67ec1097daf3a8de5dce9cada82f354d74ffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
73c8b33ec59f57ed6fdcd95e2e2e31e9

SHA1
ad3543420332017e6a4c0535de7dd71dac539719

SHA256
18236e55ccf689b576d06ae33b09f1d3c520d122a506179a07a48750769defcf

SHA512
032d8523efaec04bfb217714ae4f1eaf81b3002daa0f58222c93dcd0efa342a841ed919e567235f71eafae5bf5aed49000f6d25497c9ac32d216a9570faf2d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
61647a45657064e54e94010de3653443

SHA1
dbb30c2b94d3addcb7e54a88d49e64e16f0f9e27

SHA256
8f59b7a73457ad9d67fed4e2ad5b4d95519c5e161edc109719ebf8e6547c1e71

SHA512
9c107e0fe663606ebd5e3d63b151879de77d846cf5c3382edefd6445658c530a843434cc05866bdaaf867b68c6ab4aa9baffdece31b0b3f6e8bc319d6ec2c109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4aa729da0b83d9d5077aca1797125dd6

SHA1
5b2ae828c44235af73e63d9dfd074cc40289f836

SHA256
a44146a04e695284272021391dcdcb8a050cadc54d267e2b93f0a42c764729b3

SHA512
628bda23b37935e191722a7b8b378c8e27549bdf2ff9353c2f2305a10ac3e27d55d11e9b2e38b9a48adcc3d60c5f15a238a35572561f25471aa64f69f8f3fee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b4fd523feb4c5b99553de4f81931f95d

SHA1
53c51198441f494c0dde0b6925068fdffe41f096

SHA256
3eed0cce71e30486ae58e331f190fff381d7e965c799bb862c1ee277969dbd66

SHA512
f4ff92852472aab73e6d8b3b4cfccf0c89e67d223eb1e88fc85561a7b34fecd8ca803578925087b72a4c2d5273195774f659335149eeb82421ff5ffb4ad8d4eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587dd6.TMP

Filesize
1KB

MD5
84e5c272105d7d17b5d1ac76d8faf5ac

SHA1
2881171ac1f285e8e046a0d6193c1eb03c01691c

SHA256
e897862f57d87ee2ff87d16cfd36c03f9554e267d05bec806bfe165bb204ce28

SHA512
057127da6c7ea2f18982e862e1e7577436168312b93ecf765388c4177aea82abf2221f025ad1bb4a8406be31faec60d40a7b72c8f0680f3f71de9fc7c224eff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4eedc0e9950469f5c5c04e8a932f27b0

SHA1
9e6361e3358957ba5b90a2ff82bb1222ceec9fb7

SHA256
048fdd614ddb7312637b74a609f02bcde0cfbdeef96497dd402c2591da2ba6c3

SHA512
b9df0b976c0f507cc1e566a7c12ac34bf99fb7a7b81e5ad5e1c3c45fcba977b44b32f7c7f6477fef071f1c3d29a442bd065d931b7553fac91a3fb708e39a4da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd0c458b37b4113183d5da947942a21c

SHA1
0a667925b83b464f7bc297b6ed489032897bf98f

SHA256
cb2a333faa1268d442d1cbc59ad47ac5445543c8215294bc010630595bd68d77

SHA512
b997ccaba75c9ba01d24d877b0ff3be4a7624d538f52af82ee12f00076cd7754e40ebf5fbe2252aebf1cc332d6959ddeb751181f84b6a7e8fe2583689a14b9c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2fe32a1e2c6b640a95870e95473a1a25

SHA1
1d5b337a1791063f984687463178d46505e4f831

SHA256
2ab56306d05a6950211c11e1eab683d1ea597949bd6544188c5bd147fab30d5f

SHA512
1c45678996f83dbeca16d3ea34883cb9a23dcb11b6744e81ef4479365c4c69aaf635422000bdc8facf65b49db6d4881b34c8598d18341cf21a96d6dc1812cf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AAB.tmp\4AAC.tmp\4AAD.vbs

Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AAB.tmp\eulascr.exe

Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Roaming\{e65d08da-c54d-4040-9f39-4de6cf814dd3}\cipher.exe

Filesize
255KB

MD5
e068cc92685bcb0baa98b9e0e0eb7ec9

SHA1
842e3bc52cf8564174dad5efd9a5b5a113e71f2f

SHA256
4fa9a27a4c371c409db68f9f81f00a30a8d15c78e173c04ca9d38f51b6cd9584

SHA512
945d1b37f9a7299e4299689454e872afe485e81a7fcc9ce80584bab82418856ab07d49a8c94d6e352c30f23e09fdafba122a498a7dcc617382f4db39725cfe66

Download Submit
C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 283419.crdownload

Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 722397.crdownload

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
memory/4952-639-0x000000001CE60000-0x000000001D022000-memory.dmp

Filesize
1.8MB

Download
memory/4952-640-0x000000001D560000-0x000000001DA88000-memory.dmp

Filesize
5.2MB

Download
memory/4952-638-0x00007FF9EEFA0000-0x00007FF9EF0EF000-memory.dmp

Filesize
1.3MB

Download
memory/4952-631-0x0000000000610000-0x000000000063A000-memory.dmp

Filesize
168KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads