Analysis
-
max time kernel
894s -
max time network
897s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
-
submitted
09-02-2025 03:27
General
-
Target
Predictor7.6.3/Sounds/VisualStudioSetup.exe
-
Size
4.2MB
-
MD5
588266fd79a4a51b4fd501d11eabc372
-
SHA1
e980ac3a93c89e67d1f33d86fffa391c5ba7ff06
-
SHA256
2e4e7be2891916f6158f45dad8ff5300ee2f78fc7df0d00a031cd5f86693e7ac
-
SHA512
e5d49e85f911b0646e067f67523cb7e40e9b6e6c13c31dd82294c4afcc270ae9c91f4728c722bc5e5ad9bdbb5cdd21b81747693960d53bbd07554db6a85c6115
-
SSDEEP
98304:IEbiDMuEbMHwTFSEAlODcXQ874QDdqiJXM8ux:kB+MQTFSLlOsrRMiJXq
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 21 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 26 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
System policy modification 1 TTPs 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Predictor7.6.3\Sounds\VisualStudioSetup.exe"C:\Users\Admin\AppData\Local\Temp\Predictor7.6.3\Sounds\VisualStudioSetup.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6d50b8b38c4f718fe9db38632c14\vs_bootstrapper_d15\vs_setup_bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\6d50b8b38c4f718fe9db38632c14\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\Predictor7.6.3\Sounds\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp\Predictor7.6.3\Sounds"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\getmac.exe"getmac"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjA1NjVCODgtOTY4OC00MzVDLUI0QkEtNUJBQzQ3N0I0NDU4fSIgdXNlcmlkPSJ7NTE5RDNFQkYtRTIzQy00NTUzLUE2ODktOTgwOTNFRTJCRUVCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjEzN0Q0NUQtQzQ4QS00MkEwLThBN0QtQ0VEQjAwRTk1NEIwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzA2MjUwNzkzIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\MicrosoftEdge_X64_132.0.2957.140.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\EDGEMITMP_FD5C3.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\EDGEMITMP_FD5C3.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\EDGEMITMP_FD5C3.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\EDGEMITMP_FD5C3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\EDGEMITMP_FD5C3.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7c9b0a818,0x7ff7c9b0a824,0x7ff7c9b0a8303⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\EDGEMITMP_FD5C3.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\EDGEMITMP_FD5C3.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\EDGEMITMP_FD5C3.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\EDGEMITMP_FD5C3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{98F951EB-1A82-410C-A316-F74F3FEB067A}\EDGEMITMP_FD5C3.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7c9b0a818,0x7ff7c9b0a824,0x7ff7c9b0a8304⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff76d05a818,0x7ff76d05a824,0x7ff76d05a8304⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff76d05a818,0x7ff76d05a824,0x7ff76d05a8304⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff76d05a818,0x7ff76d05a824,0x7ff76d05a8304⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness1⤵
-
C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjA1NjVCODgtOTY4OC00MzVDLUI0QkEtNUJBQzQ3N0I0NDU4fSIgdXNlcmlkPSJ7NTE5RDNFQkYtRTIzQy00NTUzLUE2ODktOTgwOTNFRTJCRUVCfSIgaW5zdGFsbHNvdXJjZT0iY29yZSIgcmVxdWVzdGlkPSJ7NTkzQUVCNjctREUwRC00OEYzLTlCNEMtN0U2NzY2QUQ0Rjg3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBjb2hvcnQ9InJyZkAwLjI3Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0Y1QUVBMzUxLTAyNzAtNDMzNC05MDJELUZENkY5QTAxMDIzMn0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIxIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MjE5MTg5NDIxOTcwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDkyNTkwNjY4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0OTI2MzA4MjIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMDIwMjkwNTc1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk3MDUzMzMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9WTlZMkhMd0cwbDh5SXBXMUhlbGk2WUk0WEN4VDBGTFg1TTNyT3FGMzZQaHRrS1Jvc3Nsd0tZVlo1TzYlMmZFQ1V4NFJZUmJUaG5KZVA5UHoxZmc0TzVWZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIyIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzAyMDMxMDU1NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk3MDUzMzMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9WTlZMkhMd0cwbDh5SXBXMUhlbGk2WUk0WEN4VDBGTFg1TTNyT3FGMzZQaHRrS1Jvc3Nsd0tZVlo1TzYlMmZFQ1V4NFJZUmJUaG5KZVA5UHoxZmc0TzVWZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjExNDIzMTgxMCIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iNzA3ODc3Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMDIwMzIwNTkwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJ3aW5odHRwIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcwNTMzMyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1ZOVkySEx3RzBsOHlJcFcxSGVsaTZZSTRYQ3hUMEZMWDVNM3JPcUYzNlBodGtLUm9zc2x3S1lWWjVPNiUyZkVDVXg0UllSYlRobkplUDlQejFmZzRPNVZnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iMi4yMC4xMi43NCIgY2RuX2NpZD0iMiIgY2RuX2NjYz0iR0IiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9IjM4NjAzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMDIwNDAxMDE3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMDM0NzQwNTIzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzYwMDEyMDUzMyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjEzNTcyIiBkb3dubG9hZF90aW1lX21zPSI3NTI3NzIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTY1MzUiLz48cGluZyBhY3RpdmU9IjEiIGE9IjIiIHI9IjIiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InswQkE2QjIyQS03RDE2LTQ5NTMtODY0MC00NUFFNzc2RjM3RTh9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuOTIiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7Qjk4RDc5QTUtNkYxMC00QjM2LThFNDUtRTFERjMyNDc1RkI5fSIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD5b4c8ad75087b8634d4f04dc6f92da9aa
SHA17efaa2472521c79d58c4ef18a258cc573704fb5d
SHA256522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf
SHA5125094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3
-
Filesize
3.7MB
MD53646786aea064c0845f5bb1b8e976985
SHA1a31ba2d2192898d4c0a01511395bdf87b0e53873
SHA256a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f
SHA512145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4
-
Filesize
70KB
MD5d04a098f4a9f1b6a2d6678f55728caf0
SHA17f147ee1e935e56943247087383aa6052640bcfd
SHA2568f872905a79599fa7a39875abb98a205f2f8ed0e0fbafc6a371f98a21e0de5fa
SHA512848a1fef8b423f8acf07198a939f4147fe6bb878489eec50b5cc70f14477e6af8ea19a162f14beeecc9c9eba0988b91fceaabac5338abab6d154c2b36c486237
-
Filesize
100KB
MD516b39e16caffe8c88a42779e1bcb3bce
SHA1306ad7aade45ded63d5309ed9cbab5dcb4192e7c
SHA25657aa863287f4de01e93cd01ffc41993871148b9da99826a0e14be7edb9f09bbd
SHA51286d5b9814732878430d9097d3e4285cd97b1927cb78fda45f2466c324ab2761398b1aea2574a9e0ca0d428840299f0011ec159dc178f7b5c7465d20c797d6637
-
Filesize
101KB
MD52afc19ad3bd53e6261c7c5e0f515919c
SHA1ef54e45c2f649749f738e2a59cfb539aeb05804c
SHA2560ac886479d1de1485084d300abf564a2cedf8bd5b0247dda09fe1180404f838d
SHA51202b3793786b10a1dfc38cb56b3f0d478a8e7c00b7593f8c39560d540ae49fd4b0b2b0d8115173c62b5b9ad7bf427c5a47105e386d5c2792a74dad3e09f7d780b
-
Filesize
1.0MB
MD512c21f52ffdd333370f452bafad9e020
SHA107e6fd252d22ad6dd1b42000b906d9d117d005d4
SHA256f35678b2f1236bcee1b84a13e6d25b985a28c0f933bb05ed91edde9457e3fa91
SHA5121b3a448240fca193ed043e4297a5888fa3b905207844e178e19fafc9ad868a76a16eb53a2d11db6f5da5c483e2a1408383d2fc70016a7a15ec609cf015f01af0
-
Filesize
162B
MD5ad891c3b02a02419dc60db8c273a8315
SHA1141a08ca0e25d56bdb35fc71e1c767667079114a
SHA256186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7
SHA51264cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f
-
Filesize
3KB
MD5b8840daf578c76224a357d96af8367c6
SHA1c6e6c30dcabd63ea298fd1c8a1bef9c2b4cef7e8
SHA2568bb93bfa6f550028e3f2aa74c4f9d81015e866e5767a9097891770b14281c222
SHA51202a7f3680e813cc8165e40063b95b0a58dc1a601b05045c17e07c1604b94f43bc410200ab1bd32c84ca93fb53e5cfb2fa2385b72c6ce3c64525a8558413ebc56
-
Filesize
5KB
MD560c7b8c1391dee9f7626e045421d034f
SHA169bb8f152a937a6cc74845d69a0598ebaec289a6
SHA2567267c9ff0bb470f705c46e1ae53dab2bf32855db5596587d36d900207073a8b0
SHA5128bf21d35d17d63222355b0f11212da4eaea835262fb4c93f2ad1a8333a0c3a3c716d14e6cccacb99a40ae708956528ddd061f7a092c1f200ec3e93ecf75e16cd
-
Filesize
18KB
MD56240940009abe0240203a943741f22b2
SHA121d7eaa572a701d2c463f1421b1b4dbb4355e91d
SHA25662d8143505b130e7dcd2488384c19827787f9370c132d0c05957e16c28c70447
SHA5124360785a85aa89aa303fb5a4e15233287457b6c46fb0a96e25b89703cc305fe76d0424fc93187da9dc25596b75c33ac9cc171ae37d599b0d914a3e22b0f0f9ea
-
Filesize
115KB
MD57ee93c9293b25b94360c0bb61a0978d3
SHA12cd3c71473da6f2cff01f63ea3245e0c7794d15c
SHA2567424bdcd743c2784e4043f7c489697b6cae3c7dae17b7190967b5522dd3d9bb7
SHA5120523a771b3685604aab6088d194be5c3555011bd9a57f622f12fba1c6749f7974fc358563a54a85932dfd5be7cf342148fc972bbbabad5d8a5f421fd2e6ca367
-
Filesize
46KB
MD5355c1a112bc0f859b374a4b1c811c1e7
SHA1b9a58bb26f334d517ab777b6226fef86a67eb4dd
SHA256cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed
SHA512f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b
-
Filesize
581KB
MD5b952eda0274f5fe9651312bbdbd35c36
SHA1a1ca4f102124ffed512b2fd818ef21f29a094f95
SHA256e8028eb8af8ccc9b78fc688c96e91eb45add8d9f72ce90c365a1eab1f812fe08
SHA5128192b534adc3442ab23f8c040c4b67a907125ea86ee3f9e6b65f80aa731242b53e174eb394a05599b0e50f6f435f26b93c99b363adcf16724edf83917db79e9e
-
Filesize
307KB
MD5484742c8c65f83e4b272692fa7badb3c
SHA1fa16f4159547404ade16f8c1abcc8f6978da9abd
SHA25678531f435198f0b0e0170f1b2d683e7785e5c1ad133b76b6b471a036d6e1d4ac
SHA5121f47ef544ac5837766befebabab6d8122e3e28aef68e877794fa8ef9ca9583be011386c1eb8fbb566cea40b32b9268f3880f3f8f3c9ff8c78b0b3015d99a775c
-
Filesize
1.4MB
MD527f5c28bb57287a8f0187d7eee17bda8
SHA15b04cd155ee665609cc10c7e8cb72951843d3a5e
SHA256cc3219b8b031286813871debe27e4d1ed3b2d8caac612d30c8a2cfca4806f41b
SHA512d9973d51adcf9b683a1a67844fb81c796346fbe268ad4d85b91b02dd06bb584903ca5bb9588ac64118e8893203c1bb3ddf1a6d1246032c3fd9a82b189f82ecd9
-
Filesize
950KB
MD5903f254110813906331bef23e680bb9d
SHA16e4adfae4281d0b5bd0d8efd8f8eb919e974bd7d
SHA256148081b9aaaee96125f7d2f09acffb95d7ce1c50d4e7b4b3ca8f3e372e2b8425
SHA512150f5b438199faf8922390bc2cf93684de4a134e9c82f0e608954f02c47f630c8be22afe0349bd049bb1bc57dcd0951f9cf119713087940a769e076bae00c662
-
Filesize
62KB
MD52dc1dc66b267a3470add7fab88b78069
SHA1dbe80047475b503791038ed7e47389c062c15c72
SHA256b044863f98af8d28f4f2f5e2dccb945c57439e1575afb37110e1eec306a6c89c
SHA51244ef73aab50dcc13ccd94c0353c366818afb27ce73772d722755b04add0c4f294c7814c84da6069d9aa6136f2a48683c25062dcddd1664e8d32fed1b38ceca21
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
138KB
MD5f09441a1ee47fb3e6571a3a448e05baf
SHA13c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA5120199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6
-
Filesize
17KB
MD5c610e828b54001574d86dd2ed730e392
SHA1180a7baafbc820a838bbaca434032d9d33cceebe
SHA25637768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396
-
Filesize
8KB
MD5782f4beae90d11351db508f38271eb26
SHA1f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA5120a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4
-
Filesize
622B
MD5c65295c6216ff4987887e921b6ef7fd5
SHA160b9f9118bae393d963f33b5dcfbf78a3748e0f3
SHA2568618064bf0589dd3e38c36826b54c342a34ed22010883517b2025c54ee12e833
SHA5129027f92858fb68e2b71cdfaab57ac736b8e0bdfc03760ecee378691fc6ea4892d7246e807cc17a249b31d02c5e459a58ca7a60fabe78f54d329c8aca71eb99e9
-
Filesize
404KB
MD5e24ef04ddb8a5474314d34cbd3ffa0c2
SHA1399b9c3336116df479793d322f8c1e884e154fff
SHA25649fc3ec8ab51c8f05591ee0ff0d9040bed994dbc3ef9a417a188c6d69a56952f
SHA5127e845f995cf5bc448f9accf4bc6a9c26a1354ec72b138348e0d474465a101cc77ff4f2801c1b58e48819053f80e7fdb0d0cf25664c2483314cb33b0d312d67e8
-
Filesize
3KB
MD572f9933c6e247a13353d9725cd22c2da
SHA15b76599644e7c70cd5f08e5a80cec225c891a9da
SHA2561f423b67ee6ca6a714507ab08fbd383b6d442bd98d321f0a640d533d5a516650
SHA512afc7b5959506d197246fb482b0a2ca8f1ebfb5957234e547151d1e7a40047a2974768ccdf5c321a984685d99d4f7a1b0fbfb7fe81c40387a229808e45814a6de
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
712KB
-
Filesize
72KB
-
Filesize
592KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
744KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
152KB
-
Filesize
968KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
1.4MB
-
Filesize
416KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
2.3MB
-
Filesize
56KB