gh0strat | d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
Size

5.0MB
MD5

c7adb0aee7e3651e7ffb04337f42be90
SHA1

6eae418e08d9429d9e19f28272f25e2f311b2704
SHA256

d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4
SHA512

724cadc39071567da7152cd9c295ad724255bc564567ca3475e31471d99163a1cc36c3975773e2048d1cac963ca471569cfce0ab128a70afcf31e1bf5c8364b9
SSDEEP

98304:xcy2LkcMNB6cDqnTgnRkidZ7C0eNGyJW3lE4RrtRmrpIZhGuul38YR7O8sOKduGs:6y2LkcMNRdnRkgCNGyJ/IJYR7vsOKwGV

Score

10^/10

gh0strat purplefox discovery evasion persistence privilege_escalation rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/1224-9-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1224-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1224-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3256-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3256-22-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3256-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4132-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3256-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4132-32-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4132-35-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral2/memory/1224-9-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1224-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1224-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3256-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3256-22-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3256-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4132-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3256-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4132-32-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4132-35-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2064	netsh.exe
2132	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe

Executes dropped EXE 6 IoCs

pid	Process
1224	RVN.exe
3256	TXPlatforn.exe
1968	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
4132	TXPlatforn.exe
5096	FiddlerSetup.exe
3596	SetupHelper

Loads dropped DLL 20 IoCs

pid	Process
5096	FiddlerSetup.exe
4948	mscorsvw.exe
828	mscorsvw.exe
828	mscorsvw.exe
3600	mscorsvw.exe
4844	mscorsvw.exe
4844	mscorsvw.exe
1380	mscorsvw.exe
3464	mscorsvw.exe
5172	mscorsvw.exe
5568	mscorsvw.exe
5568	mscorsvw.exe
5568	mscorsvw.exe
1296	mscorsvw.exe
5708	mscorsvw.exe
1176	mscorsvw.exe
6048	mscorsvw.exe
6008	mscorsvw.exe
5152	mscorsvw.exe
6008	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1224-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1224-9-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1224-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1224-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3256-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3256-22-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3256-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3256-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4132-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3256-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4132-32-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4132-35-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\33c-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\Q6WNMDJOTX\System.Numerics.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\KJ4VRMTT7Y\System.Deployment.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1420-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1354-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\ISDJZWCTKK\Microsoft.JScript.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\E3BCWXBDEA\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d88-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15c0-0\System.Web.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\47Y1H4R174\System.Security.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\510-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\d12b539b25fd704b7b7ae29b10af66db\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\498-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1434-0\Microsoft.JScript.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\E3BCWXBDEA\System.Runtime.Serialization.Formatters.Soap.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\KJ4VRMTT7Y\System.Deployment.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\RWLF9T1EZG\System.Data.SqlXml.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\RWLF9T1EZG\System.Data.SqlXml.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\Q6WNMDJOTX\System.Numerics.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\17a0-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\ISDJZWCTKK\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e10-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12ec-0\System.Deployment.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\47Y1H4R174\System.Security.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\164c-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1778-0\System.Deployment.dll	mscorsvw.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RVN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatforn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHelper
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2968	cmd.exe
2792	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.saz	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2792	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1764	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
1764	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
5096	FiddlerSetup.exe
5096	FiddlerSetup.exe
2092	msedge.exe
2092	msedge.exe
1972	msedge.exe
1972	msedge.exe
4224	identity_helper.exe
4224	identity_helper.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4132	TXPlatforn.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1224	RVN.exe
Token: SeLoadDriverPrivilege	4132	TXPlatforn.exe
Token: 33	4132	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4132	TXPlatforn.exe
Token: 33	4132	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4132	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1764	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1224	1764	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	83
PID 1764 wrote to memory of 1224	1764	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	83
PID 1764 wrote to memory of 1224	1764	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	83
PID 1764 wrote to memory of 1968	1764	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	84
PID 1764 wrote to memory of 1968	1764	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	84
PID 1764 wrote to memory of 1968	1764	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	84
PID 1224 wrote to memory of 2968	1224	RVN.exe	86
PID 1224 wrote to memory of 2968	1224	RVN.exe	86
PID 1224 wrote to memory of 2968	1224	RVN.exe	86
PID 3256 wrote to memory of 4132	3256	TXPlatforn.exe	87
PID 3256 wrote to memory of 4132	3256	TXPlatforn.exe	87
PID 3256 wrote to memory of 4132	3256	TXPlatforn.exe	87
PID 2968 wrote to memory of 2792	2968	cmd.exe	89
PID 2968 wrote to memory of 2792	2968	cmd.exe	89
PID 2968 wrote to memory of 2792	2968	cmd.exe	89
PID 1968 wrote to memory of 5096	1968	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	90
PID 1968 wrote to memory of 5096	1968	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	90
PID 1968 wrote to memory of 5096	1968	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	90
PID 5096 wrote to memory of 2064	5096	FiddlerSetup.exe	94
PID 5096 wrote to memory of 2064	5096	FiddlerSetup.exe	94
PID 5096 wrote to memory of 2064	5096	FiddlerSetup.exe	94
PID 5096 wrote to memory of 2132	5096	FiddlerSetup.exe	96
PID 5096 wrote to memory of 2132	5096	FiddlerSetup.exe	96
PID 5096 wrote to memory of 2132	5096	FiddlerSetup.exe	96
PID 5096 wrote to memory of 2568	5096	FiddlerSetup.exe	98
PID 5096 wrote to memory of 2568	5096	FiddlerSetup.exe	98
PID 5096 wrote to memory of 5052	5096	FiddlerSetup.exe	99
PID 5096 wrote to memory of 5052	5096	FiddlerSetup.exe	99
PID 5096 wrote to memory of 3596	5096	FiddlerSetup.exe	100
PID 5096 wrote to memory of 3596	5096	FiddlerSetup.exe	100
PID 5096 wrote to memory of 3596	5096	FiddlerSetup.exe	100
PID 5096 wrote to memory of 1972	5096	FiddlerSetup.exe	108
PID 5096 wrote to memory of 1972	5096	FiddlerSetup.exe	108
PID 1972 wrote to memory of 3756	1972	msedge.exe	111
PID 1972 wrote to memory of 3756	1972	msedge.exe	111
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114
PID 1972 wrote to memory of 4672	1972	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
"C:\Users\Admin\AppData\Local\Temp\d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\RVN.exe
  C:\Users\Admin\AppData\Local\Temp\\RVN.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2792
- C:\Users\Admin\AppData\Local\Temp\HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
  C:\Users\Admin\AppData\Local\Temp\HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\nsf8732.tmp\FiddlerSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\nsf8732.tmp\FiddlerSetup.exe" /D=
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2064
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2132
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
      4⤵
      PID:2568
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
        5⤵
        
        PID:2448
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 0 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"
        5⤵
        
        PID:4644
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4948
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:828
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 264 -Pipe 2b4 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3600
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 264 -Pipe 2d8 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4844
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 2cc -Pipe 264 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:1380
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2cc -Pipe 2b0 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3464
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5172
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 0 -NGENProcess 294 -Pipe 2e8 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5568
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 264 -Pipe 28c -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:6008
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2d4 -Pipe 288 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:6072
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 294 -Pipe 2bc -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:1872
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2c0 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5444
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 294 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5544
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 0 -NGENProcess 264 -Pipe 2c4 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5192
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
      4⤵
      PID:5052
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1c8 -Comment "NGen Worker Process"
        5⤵
        
        PID:368
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1dc -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1296
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1176
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 254 -Pipe 288 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5708
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 254 -Pipe 298 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:6048
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:6008
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 284 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5152
  - - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
      "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb552946f8,0x7ffb55294708,0x7ffb55294718
        5⤵
        
        PID:3756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
        5⤵
        
        PID:4672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
        5⤵
        
        PID:636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
        5⤵
        
        PID:2044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
        5⤵
        
        PID:4024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
        5⤵
        
        PID:1640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
        5⤵
        
        PID:5272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        
        PID:5716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
        5⤵
        
        PID:5724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
        5⤵
        
        PID:6024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
        5⤵
        
        PID:6032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
        5⤵
        
        PID:5464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,17903745275147913065,11645090438504800578,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:4132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
d48dbe460b03747ba3fb5f1ea31e599e

SHA1
0a16b230908be782c3778628979f1491462c903f

SHA256
d702044b9b3708099d31619942c7e3425ce076a6f3ca641e674666a128272110

SHA512
3748a936191d626ac9d1f6dbac189a00fbbc793d90fc06a22b1ea2ca9b65bfbeec60735a87dd6606d78793a1d98ceb26d7fdcb6b07e5e3291384c018fdf6a133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
383b6d23f314261115291c00ec5d562d

SHA1
7aea9c3e43dbb93cc92e54ec9a97928ce62722b1

SHA256
d0cc74c17984eea2a93b5dfc6f75fa26c2c1cd78582f9678dd3fecdf50255e79

SHA512
eb0cd2051ed52d044c94b27b0a31ff0014851c6cca3222d5ca6be16d1f34610d326437bf4370bb01675fe0c7156aba5507bde45bb5ff2668485ff8bf3346dfd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6a8d9ec22f1ae58abb2b12ae27f823ce

SHA1
c2b81ddfbdb5c3a3dbad39c7dd397cae22f2ab43

SHA256
3617dd82e73174c2a363f9fa98b8ef5741ca16d278486249f4473ebf8234ff4c

SHA512
d24e4decf64c24950d43b553f217abadb14483690c8546167ea3d7bf38d09da57a4a8af18ad0b87ce2de15df1e7dc24e656e28c9b573c3ae3f2c72862a3e1243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
967b55dc6b9b6f648351ea44a2cac4f4

SHA1
cc8d7db771d45f6d83b252dc568835e810456c6d

SHA256
174ab9bbea42d54b530af4981453b6e1044b8382da33b1d5b8456fec612957b2

SHA512
4a4e538f400f0c5415cc3b3419c938785533f2c801f54f3a0d7ed9c61a3a433662a8b0436af452415c964621a26c100a1db84acc1a528f3d73ce313a9229db7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b695e33673db52c004070d293d56c70f

SHA1
f9b52e015369aaf68a1d2b7f06fa16c50ae83199

SHA256
b6da3c0936e09e0dfc87904ec318d40079924ef2f40a06a636c76490725b18fd

SHA512
576d372d110632a505a26c7ced5ed581e92dffba4e9fbeae84363724361fd351a2a1ae8ee14e9ac0884af52c9d8888d6c05245699c69eb0b7f4302b3bb0a3ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584292.TMP

Filesize
48B

MD5
e74d19005d35277e544a0f64ca859e6a

SHA1
87ed4c336ac57bae8910976ddb6358f00b184a17

SHA256
c56c928575976ab0a1b84054394017bda8e07434592a1f6be78718670b6a8fdd

SHA512
a2719ff7906dfadb68bad30a05a1f92e6385db8473eccd582b61180b358905179b13a8817086be8973feadb62bc4dec8a481438151ec04bc868cefa60d272cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
361e69fbf5b56486cc1bdb204fc95fb8

SHA1
3aaf8cdb0220bf1439647bd1b30551e7ea889efa

SHA256
4380bd3e3f94ee88aa26bbe5e5e34212f067d85c55ee6618b73f24d0f08c3f42

SHA512
9bcf32901eeaf13b829934dd9f114d3f56f67571c0560fda77c546bb7d58db28a181881865e24e330868e68ed5e2c15087232dfd862e8c65c53df2d7ae36777e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
700a2c3a088a86d6a7c379579ed8e0ab

SHA1
dc33ef594bf98bbbb72f7a4e020033c89fda9255

SHA256
1db0bbf6b0f65c7c528d2680286df2f86c098c3a14ea6b5a1d9eb897befc211e

SHA512
4e53b51a2675a29c1ceecd453f3acca604ca68d0dc8cde4a5231a469e9a768fb76006677273ec691404fd00fc031865139ed59f9a09704e95025a287a4a52322

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

Filesize
32KB

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll

Filesize
449KB

MD5
11bbdf80d756b3a877af483195c60619

SHA1
99aca4f325d559487abc51b0d2ebd4dca62c9462

SHA256
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1

SHA512
ad9c16481f95c0e7cf5158d4e921ca7534f580310270fa476e9ebd15d37eee2ab43e11c12d08846eae153f0b43fba89590d60ca00551f5096076d3cf6aa4ce29

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe

Filesize
82KB

MD5
ea240c9d733ad54a79faaca19ba8d376

SHA1
2c1d1b3aa6aec6e6e7af7f64637029971a37ba77

SHA256
2c2aa55ab99b5a34eb78ded93e46c4d5fef44077847281e124473c20de5cf165

SHA512
d3815bf7b5af7aa5dbf717f404bdac9538adeaff57cf6ec38c3724d7179fb1f31231009941a671bdd15516e47ff346afa8738bc399c4e57cb840def6821f6464

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

Filesize
3.5MB

MD5
32cf2e7c6ae825d5f7cb2a7d39c2ee24

SHA1
262176d879e7727375025cae4aafc90698adad26

SHA256
d7ea71114bfe70383c1ac2be6dd19676805a0afb6e20c0ad3000018afad093e5

SHA512
a72e70f1a11d4443aedc56a2453cb3ed05bd8106b0e906364f23f01098a378440d2d86ac15f6d98ceedfe18b0a60d80f6806300b390c2969c3de97cb380b82c2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

Filesize
261B

MD5
c2edc7b631abce6db98b978995561e57

SHA1
5b1e7a3548763cb6c30145065cfa4b85ed68eb31

SHA256
e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14

SHA512
5bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll

Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
18KB

MD5
1289dc21a51fb89e685fa4c91764c00e

SHA1
b24210c4e71ace272a1984e171d50380687f73fe

SHA256
3e6f9a8b9dbd8adb521ce02a1c34e20350b3df438deb5bc4ada33c8cca6d25b9

SHA512
9cf63f042197470e622b97bf11845722c6338e69f08932b2f11eca576162235ff82c2def13bf42cea4c3b583ebd0342ca10ca6e5f2a3c53e4a6db5ae7006a0f2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
576KB

MD5
9b75bff27fe85a88f5e6816d12323638

SHA1
579c9a21460c00fd73a1260e4b03cbb9209e00c0

SHA256
6d01f24cf5d016a536e294adb33251dc41464b02e403d42245c44cc183bdd5c9

SHA512
0d8fa75757d9bd424a2d0f8d5331c4510516f49ff5d0a773f367884b58f4f8fbba8d66723128b526c3fda956709db47470e778145fb58b98b853c0abcfe24690

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe

Filesize
4.4MB

MD5
78537045a5e032d4ac93514f027c7a47

SHA1
5b6e705b20652c0cf39ee890013b9b8e8ad26b07

SHA256
06812518a722af6f98fbd8c3a5ace0cad1c6d53477972618728e64bafcbc948c

SHA512
8fee84a791ae85175b7d61b54c66fc47abd4e231b7194779d2213f94c388b23e3f8e0408a1f29856b2a0404d824f17858f6b0676f6a1656428424665658c4a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaB9DC.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8732.tmp\FiddlerSetup.exe

Filesize
4.3MB

MD5
5d96b95b066d797c7c468d125882ddcf

SHA1
8a130db5e4f6207b70939c5007d6689c22378c7d

SHA256
7ea1a09eeab47eb4658938bf4a023c6231de726ad076fde189c3383ffb4091fe

SHA512
fd746263b0aad96e90468aac664a3f02af20c2291e03138cf201d68036bd8ce26cc36b5fdc4e97ae5f93c65a5660de91988e3ee7156359de509fea9b4308550a

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\d12b539b25fd704b7b7ae29b10af66db\EnableLoopback.ni.exe

Filesize
160KB

MD5
e6c14393c99958e451ccdc531f17f652

SHA1
3925d44b95e8cf094e26b1d2476079c69c9e19aa

SHA256
0ee22d54805576b590b8b75dde89043e2a7bdc8bd45322b9712e5a07a82143a3

SHA512
a08a18a14712e61b8c6d6c1ca3f9b6be32cd252ccd492e7c871432c384f141ebf562c24b3a09be2062d555b91e6f0ec79f2983949d5293219db51c8fb7b18477

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll

Filesize
2.7MB

MD5
89bedf9727f90a9f8e15826df509d7b9

SHA1
f0c590abc08815c38aa522afee4438d69a78c490

SHA256
224851ed49ed39bd526910bd252a6f53cc32c0067d80066a30f84329500ba929

SHA512
4d300c96062d5853e644675059afb4687246a610d5c86cfe1aa7380e4d69da255e743009339d59b4d00e79991cd8251330a99064447cde28f08821c3dbe448b9

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux

Filesize
708B

MD5
688ac15ac387cbac93d705be85b08492

SHA1
a4fabce08bbe0fee991a8a1a8e8e62230f360ff2

SHA256
ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470

SHA512
a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

Filesize
3.0MB

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux

Filesize
300B

MD5
5052a26ae1334e99f9c993f0ac477f5b

SHA1
941e82d2397f79faf7707569927bb3dbea9ea34c

SHA256
ec432d36bb95dcdb1876836b09ba1829c03a83c9b53afbb195c6fa0d7d91375f

SHA512
eb5dce71049b099c5764fe449f529b5813aab3d86150331ae384c08973f0487f9a25e1f11498203baa0a093dc2961f6bb0f5d03a86ff9c39f050524c9d32ede2

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux

Filesize
912B

MD5
255a843ca54e88fd16d2befcc1bafb7a

SHA1
aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9

SHA256
8cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed

SHA512
666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll

Filesize
16.2MB

MD5
b5840712456c7cb4de53695522e2a41c

SHA1
c8fa753ff825f929d5e78d6f6059fc6806951a69

SHA256
3cd39a70525ab32c60ed04b3791d692106afc322f399561cc7bc5b5a8e8d2a64

SHA512
02220870c1c06a15352f7cc75deea2645a58d93ec40f3a465cc0373d9aa98746f8739eb9120ddf8b5a3acafc6db617d3c77c7825eb7a11abab81e1fa466dcd1e

Download Submit
C:\Windows\assembly\temp\E3BCWXBDEA\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux

Filesize
644B

MD5
caba9e7248016ec410e8346b3cf4f51b

SHA1
f9e23982f25f1977b0f668090c92cedc783efc89

SHA256
638feb99f77dec41e6acd96a76d0b48bbd710a3c25df09d20e226730517c5149

SHA512
4577677bd631c76d33521a45de97f4d3e51badb6f859525f91f93abf8bdc86de9b1e27736636aaa5d1bbe677cc98b6d3aac93f873aaf6621fcf186c1274691e4

Download Submit
C:\Windows\assembly\temp\ISDJZWCTKK\Microsoft.JScript.ni.dll.aux

Filesize
580B

MD5
15d9528aaa8f3ef914a4ae5662f138eb

SHA1
944e083df6082e372e81a5dfa7979f4d5e519ed3

SHA256
5bcc2ba91c42bb47333af2d30a23d9009475e8710e06f82492e377aa6fe29d4e

SHA512
fc22d60f9dc0feadae1a6ee296129abab2d6dd963df35416d6b9d36d00d22f4b2e7dfc2f111cec5d28c8625fec75b68f68ed4ab3fffb86a1c94b8f322a65049c

Download Submit
C:\Windows\assembly\temp\KJ4VRMTT7Y\System.Deployment.ni.dll.aux

Filesize
1KB

MD5
b019b58a1fc23042c21fa5518b2c18d5

SHA1
a594de6ae6ef0a22c44a5cfacb8e35891f5e557b

SHA256
2014e4b8b8183db7940c5dbb1e27fbe3a3993d13b90c04f6286dbe17174e1a1e

SHA512
26f9e8ace5821ae91f8a72ad0df19b9dc45f2b6028421f0fbaa7e8de8c65651792bc75d475d8098dde8150440ce14201aa418c91b1c4ad172286f93716d23837

Download Submit
memory/368-521-0x0000014741630000-0x0000014741648000-memory.dmp

Filesize
96KB

Download
memory/828-303-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download
memory/1224-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1224-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1224-9-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1224-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2448-232-0x000001DDBC040000-0x000001DDBC568000-memory.dmp

Filesize
5.2MB

Download
memory/2448-244-0x000001DDBB740000-0x000001DDBB762000-memory.dmp

Filesize
136KB

Download
memory/2448-257-0x000001DDBCE20000-0x000001DDBCE9E000-memory.dmp

Filesize
504KB

Download
memory/2448-259-0x000001DDBBF90000-0x000001DDBBFCC000-memory.dmp

Filesize
240KB

Download
memory/2448-260-0x000001DDBBCF0000-0x000001DDBBD02000-memory.dmp

Filesize
72KB

Download
memory/2448-256-0x000001DDBCF50000-0x000001DDBD072000-memory.dmp

Filesize
1.1MB

Download
memory/2448-262-0x000001DDA33D0000-0x000001DDA33E0000-memory.dmp

Filesize
64KB

Download
memory/2448-255-0x000001DDBBC70000-0x000001DDBBC8A000-memory.dmp

Filesize
104KB

Download
memory/2448-142-0x000001DDBB780000-0x000001DDBBB02000-memory.dmp

Filesize
3.5MB

Download
memory/2448-253-0x000001DDBBFE0000-0x000001DDBC024000-memory.dmp

Filesize
272KB

Download
memory/2448-254-0x000001DDBBBA0000-0x000001DDBBBBE000-memory.dmp

Filesize
120KB

Download
memory/2448-252-0x000001DDBBCB0000-0x000001DDBBCE2000-memory.dmp

Filesize
200KB

Download
memory/2448-251-0x000001DDBBB80000-0x000001DDBBBA0000-memory.dmp

Filesize
128KB

Download
memory/2448-250-0x000001DDBB490000-0x000001DDBB4A2000-memory.dmp

Filesize
72KB

Download
memory/2448-249-0x000001DDBD2F0000-0x000001DDBD7BC000-memory.dmp

Filesize
4.8MB

Download
memory/2448-247-0x000001DDBBB40000-0x000001DDBBB7A000-memory.dmp

Filesize
232KB

Download
memory/2448-145-0x000001DDBB4B0000-0x000001DDBB56A000-memory.dmp

Filesize
744KB

Download
memory/2448-248-0x000001DDBB410000-0x000001DDBB42C000-memory.dmp

Filesize
112KB

Download
memory/2448-246-0x000001DDBBB10000-0x000001DDBBB32000-memory.dmp

Filesize
136KB

Download
memory/2448-236-0x000001DDA3290000-0x000001DDA329C000-memory.dmp

Filesize
48KB

Download
memory/2448-245-0x000001DDBBD30000-0x000001DDBBDE2000-memory.dmp

Filesize
712KB

Download
memory/2448-258-0x000001DDBBC90000-0x000001DDBBCB0000-memory.dmp

Filesize
128KB

Download
memory/2448-241-0x000001DDA33C0000-0x000001DDA33CC000-memory.dmp

Filesize
48KB

Download
memory/2448-243-0x000001DDBBE00000-0x000001DDBBF86000-memory.dmp

Filesize
1.5MB

Download
memory/2448-239-0x000001DDBBBC0000-0x000001DDBBC68000-memory.dmp

Filesize
672KB

Download
memory/2448-242-0x000001DDBB6F0000-0x000001DDBB740000-memory.dmp

Filesize
320KB

Download
memory/2448-234-0x000001DDBB670000-0x000001DDBB6E6000-memory.dmp

Filesize
472KB

Download
memory/2448-237-0x000001DDBB440000-0x000001DDBB48A000-memory.dmp

Filesize
296KB

Download
memory/3256-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3256-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3256-22-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3256-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3256-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3464-398-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/3596-140-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/3600-320-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/4132-35-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4132-32-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4132-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4844-372-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download
memory/4948-274-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/5172-443-0x000006443CC40000-0x000006443CEF8000-memory.dmp

Filesize
2.7MB

Download
memory/5568-471-0x0000029A7D110000-0x0000029A7D136000-memory.dmp

Filesize
152KB

Download