hxxps://bigdatafriend[.]com/connect/?hxxps://bigdatafriend[.]com/?utm_source=bing&utm_campaign=d[.]beaver&utm_placement=search&msclkid=13ba839728ee132c9de7e6700722812c

Resubmissions

08-03-2024 19:13

240308-xxgdfaec58 8

08-03-2024 18:55

240308-xk8l6aeg6v 6

Analysis

max time kernel
1203s
max time network
1209s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bigdatafriend.com/connect/?https://bigdatafriend.com/?utm_source=bing&utm_campaign=d.beaver&utm_placement=search&msclkid=13ba839728ee132c9de7e6700722812c

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 4 IoCs

pid	Process
800	node.exe
1736	dbeaver.exe
5840	node.exe
4684	snap.exe

Loads dropped DLL 4 IoCs

pid	Process
1736	dbeaver.exe
1736	dbeaver.exe
1736	dbeaver.exe
1736	dbeaver.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
50	raw.githubusercontent.com

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5ee685.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ee685.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{575F8743-E380-426E-B41E-B72C0697E25F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF318.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ee687.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c2cf76efb8a5767e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c2cf76ef0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c2cf76ef000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc2cf76ef000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c2cf76ef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 206204.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
1952	msedge.exe
1952	msedge.exe
5004	identity_helper.exe
5004	identity_helper.exe
5396	msedge.exe
5396	msedge.exe
5396	msedge.exe
5396	msedge.exe
4488	msedge.exe
4488	msedge.exe
1412	msiexec.exe
1412	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	232	msiexec.exe
Token: SeIncreaseQuotaPrivilege	232	msiexec.exe
Token: SeSecurityPrivilege	1412	msiexec.exe
Token: SeCreateTokenPrivilege	232	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	232	msiexec.exe
Token: SeLockMemoryPrivilege	232	msiexec.exe
Token: SeIncreaseQuotaPrivilege	232	msiexec.exe
Token: SeMachineAccountPrivilege	232	msiexec.exe
Token: SeTcbPrivilege	232	msiexec.exe
Token: SeSecurityPrivilege	232	msiexec.exe
Token: SeTakeOwnershipPrivilege	232	msiexec.exe
Token: SeLoadDriverPrivilege	232	msiexec.exe
Token: SeSystemProfilePrivilege	232	msiexec.exe
Token: SeSystemtimePrivilege	232	msiexec.exe
Token: SeProfSingleProcessPrivilege	232	msiexec.exe
Token: SeIncBasePriorityPrivilege	232	msiexec.exe
Token: SeCreatePagefilePrivilege	232	msiexec.exe
Token: SeCreatePermanentPrivilege	232	msiexec.exe
Token: SeBackupPrivilege	232	msiexec.exe
Token: SeRestorePrivilege	232	msiexec.exe
Token: SeShutdownPrivilege	232	msiexec.exe
Token: SeDebugPrivilege	232	msiexec.exe
Token: SeAuditPrivilege	232	msiexec.exe
Token: SeSystemEnvironmentPrivilege	232	msiexec.exe
Token: SeChangeNotifyPrivilege	232	msiexec.exe
Token: SeRemoteShutdownPrivilege	232	msiexec.exe
Token: SeUndockPrivilege	232	msiexec.exe
Token: SeSyncAgentPrivilege	232	msiexec.exe
Token: SeEnableDelegationPrivilege	232	msiexec.exe
Token: SeManageVolumePrivilege	232	msiexec.exe
Token: SeImpersonatePrivilege	232	msiexec.exe
Token: SeCreateGlobalPrivilege	232	msiexec.exe
Token: SeBackupPrivilege	5888	vssvc.exe
Token: SeRestorePrivilege	5888	vssvc.exe
Token: SeAuditPrivilege	5888	vssvc.exe
Token: SeBackupPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2576	1952	msedge.exe	87
PID 1952 wrote to memory of 2576	1952	msedge.exe	87
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 448	1952	msedge.exe	88
PID 1952 wrote to memory of 8	1952	msedge.exe	89
PID 1952 wrote to memory of 8	1952	msedge.exe	89
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90
PID 1952 wrote to memory of 5064	1952	msedge.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bigdatafriend.com/connect/?https://bigdatafriend.com/?utm_source=bing&utm_campaign=d.beaver&utm_placement=search&msclkid=13ba839728ee132c9de7e6700722812c
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad5df46f8,0x7ffad5df4708,0x7ffad5df4718
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1284 /prefetch:8
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6232 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6051830015129145558,7533648936700754848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2528 /prefetch:1
  2⤵
  PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1940

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\dbeaver-ce-24.0.0-x86_64-setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5296
- C:\Windows\system32\wscript.exe
  "wscript.exe" "9.js"
  2⤵
  - Checks computer location settings
  PID:4304
- - C:\ProgramData\jvb\node.exe
    "C:\ProgramData\jvb\node.exe" C:/ProgramData/jvb/node.js
    3⤵
    - Executes dropped EXE
    PID:800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:6012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2212
  - - C:\ProgramData\jvb\node.exe
      C:\ProgramData\jvb\node.exe C:\ProgramData\jvb\com.js 0
      4⤵
      Executes dropped EXE
      PID:5840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "vol c:"
        5⤵
        
        PID:3968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "C:\ProgramData\jvb\snap.exe /capture /convert=C:\ProgramData\jvb\gs.jpg"
        5⤵
        
        PID:996
      - C:\ProgramData\jvb\snap.exe
        
        C:\ProgramData\jvb\snap.exe /capture /convert=C:\ProgramData\jvb\gs.jpg
        6⤵
        Executes dropped EXE
        
        PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:6140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:6036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "vol c:"
      4⤵
      PID:5452
- C:\ProgramData\jvb\dbeaver.exe
  "C:\ProgramData\jvb\dbeaver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5ee686.rbs

Filesize
9KB

MD5
89907de3f2ab9d1f945ff9df10080b6a

SHA1
ffc4ec072a7755e6b1ae61fac538e12dfae1b295

SHA256
c7b5303765776909a00a065696b55b2e8701d315e26763cb81bfa1790d19583e

SHA512
00004d1e968c6c589424591e30401912f365bfdd9432440b7bd650e929393b249e5249f659caec75fc72f7b0d6d2d6fdc148746dc67167ea371ec9c16a25485c

Download Submit
C:\ProgramData\jvb\9.js

Filesize
112B

MD5
23578f94ff3058c385394a252b27044f

SHA1
ffa1adb01394d91628b10025d6a6dcda89853f24

SHA256
1dcbcccce710038721185bbcc21f5909c1857d7d755a0ddb9a7d1ccd91143b90

SHA512
b3d365e911a17f78230198ef7872ddfe5ac1692ca35f46ac2fb35463210a1cec00ee64087b6117eefcdf4192b729557b6b49f3d79f901f9da385a8a183026562

Download Submit
C:\ProgramData\jvb\com.js

Filesize
4KB

MD5
6fdd2cb2f3e76f719fb4145c466a0bff

SHA1
2d40387332786b09802a4e97682e932629deaf79

SHA256
4cd47e27bd4ee84090aec64abd4166151d5a9e230c9576cee88a4121411fcb0a

SHA512
cf97b094dd1e956415e786c20875be5135e9ac80d4bd9fb55c4b1657d769e3837f6893eb7bb84de12f54f47cff24ef1edf8893fa3dcc08899aa1b0c7c0369ab9

Download Submit
C:\ProgramData\jvb\dbeaver.exe

Filesize
2.0MB

MD5
47a14712b044302471323f3f65516dc4

SHA1
1c34e17b1d0a53d85872b10272a3609040b85bd1

SHA256
83dd5ddff6fac260cad60101c1fc369a99868fd772246798a505e5f93c9d9c5f

SHA512
bbbef52724abad6dd09e3fc122d6e37aea54747263703024e24b2ecbbb6b9def0882ddc08b5a23f59e5cbf690ec5c4ab6c9ebef3f9e976dff647d1f30c36d78a

Download Submit
C:\ProgramData\jvb\dbeaver.exe

Filesize
7.8MB

MD5
314fb7e3523740b3e6f04cde8c394993

SHA1
e52ae2ab12c0e7153faf66ca2dbea15e89ab5826

SHA256
0759354b61fbdb6024e8ef35a76c3194dc3bac5e7cfb61ac86b23f85c04dac7a

SHA512
d20c371fefdf6145e9603803876af325ebc3daa7694f8c7e8c64f17ddaeb40fb88041be37c02db20faae69e196967ec0bf6c33d01a2fed8789d06171e1d74653

Download Submit
C:\ProgramData\jvb\gs.jpg

Filesize
80KB

MD5
48e672c0ec43652130ef7317cce81cfd

SHA1
355922a6cd60a9706077682ba45c68ba817419d7

SHA256
b68a97fd0aa331c1f02b0b3767af5d3ce5f4213198b29e1e4f8a9a31ecdb0884

SHA512
8b4694769eb92f4b79c0fdd009801f4b6c7836272f21aa40c1d5244ab718441c7217c9266d2545f7a1fc8ef8347f2969d0d684c9c60872b5d600404239284b19

Download Submit
C:\ProgramData\jvb\node.exe

Filesize
896KB

MD5
69b2b8edea271a947185a7348447ad82

SHA1
d38b6d5389382ecb6ad59fb296366a2981270213

SHA256
e6d40b925ab4bc5d45cc94d58dbce2d91949641fd7c2076496a950bbfa068af0

SHA512
801f5ef665b622bde8b648804cd8d7e2eb011ef126058bbf2329d7af63039d3f09952a4b33ad13dcebca93e9531c8ce3c24537ce4ad24d9d7eb595beda3b62a1

Download Submit
C:\ProgramData\jvb\node.exe

Filesize
12.6MB

MD5
10b2e0b825e57ea1309a57b1558c4a79

SHA1
cf2ed79dcfb6700291ebab0d503c5cec1988fe5e

SHA256
858c77c1d595d096e694923641dafc3358b740b0ee8d6302cde6b6b2dd4c56c7

SHA512
07f5759bcf0dd1ce77ad8774ef196c78ad6169441749d425f9fed5d10b977c8f6714d10f52630e734d1c80ecbe120847cfa39f001a98b5ca60e223da3c833b02

Download Submit
C:\ProgramData\jvb\node.js

Filesize
524B

MD5
7965081e2ec0920aea7d72a50c817e88

SHA1
54693a27c38dcef552539fddb3be6878053af5b8

SHA256
88b8a2bc4f152ae3b5fbe6785345c926ec870128a7bc287ad8a8030354557e66

SHA512
639e6cbb821cf06fa9e1a5758b24a16d8ace6c2827e1861bc2bd748cd9b29bb26b4ba9ee813b93198ec70fcda84501678cb40bd33958466285675038571a4659

Download Submit
C:\ProgramData\jvb\snap.exe

Filesize
1.9MB

MD5
b103655d23aab7ff124de7ea4fbc2361

SHA1
904bf233b9070af245f4dbcae11828615ef8715b

SHA256
6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc

SHA512
fda0e3855522039d3b56e15b169b4c634672ca181ced78a479b6723c22ce889308db55aa1ea58fa8cb01ed1657fddc52a2c45d904c6eb5b852a171bcba310a52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_D29921725D6699AE382CD53FA763AA48

Filesize
1KB

MD5
91dd748f2a9249c69a33ccd0ffb495a4

SHA1
e54be602aa862da2a9ad21a98df3741bcbbb5063

SHA256
dd7d26e62080f75fe65b5966c89bf8bd5321531eb6e74606b8ac3731e5bf34be

SHA512
d21bcd3b32be0f1cecff26abf8b7ba94c8ff8c98946304d108d7ae0b3ec40e8fd39e87bb650d6aa7fc2492e4a45d6c6413b592277d1be5753624c786adbe9814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
52aa98b61fe137bf1b4d3ab43aee71ec

SHA1
f7881118a7bb03bb4bab671081cab226b32252c8

SHA256
fbeb93dd104b7e0b0192b141c69023e062c9e8cf4072cbaf497e3e42b8051df2

SHA512
58ec86b94e3ef4a6413fd1d6835d63093cab4db1647ff8cefeef0ac75921eabd90305100f3c312fa1034741104e729b98dfd10a0792cd5c1142492fd864764cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_D29921725D6699AE382CD53FA763AA48

Filesize
536B

MD5
491a4bd72a33c42923ce8bfbfc218e01

SHA1
4b0951bc916dc6f17c15b84f0ba52c162706653b

SHA256
6ccc28ddad0d8b9b902b61ded0397838d36f6aab84255f170752b1067fcb62ab

SHA512
1ff0338711c0175676efd6eb6b53862ae807a8124e1750dd9e3e2c39f08809c941361f49c97b7596a28bcb4072e548cf4a66996786c88b6dc541e514c8e1f90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
e818a1fa6351f3d5ccac0db18cfc8495

SHA1
edf472a5e8f7292ee90af72e8804c347bac11370

SHA256
3be0027cd6738eff9112f2fc1a9b3062fdce44f386f96aac5c1353372680d50e

SHA512
77356781557ca4a77fd56b2090cf7623f742fc1552eeeca03db2f95e73bbc4681318e0792eee3541c0295a39a1b3a57be4c875ac5e18d39ff092ce5e57757690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
ada9a3d98585e06b0d4b4758e4b75492

SHA1
fda5f902cf26096014a2e615bd3c7baf68f356d5

SHA256
dad81a6862fcdf06022566a564a71effb50494c3357aabb68d1dacd4769672c2

SHA512
aab53cf11b169fa122c0d69e40599a8776b7192e6615410f9f5fa1b1b5a173ec57ded22abfdfc071109b49fa21115f8756f2bcb2f8766136fa45b2dfb6a4a962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
489B

MD5
c62ee9dc9447797fefda404eeb907005

SHA1
c5a1ca792194d82d3a78b051ae34edd7e8060d19

SHA256
15c4a9ba46bc0419ce030c8aaa27ed1917a15858e6ea135ad2795d38b8d08e8b

SHA512
03c2466a80b76fd9a5e8a6c7889589762cab139b512091d012ed791337df46b9d3731b4cb5f0e9e024fd7dc54a5012c7ea2c11029b9ea98701ff8cf3124e217c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eed1618e705b6fe7c654e6677659d895

SHA1
c4fda250c16a9c6f07641268b8e2882737289af6

SHA256
be706858f16323d3500a75e3453242c94988a6b017470c1a67955b77bfd25871

SHA512
554257fed69a3c998b765c7cc714c811142f86994e6772ee3c44db5fb782fd4c7544dc1434d10afac2b359ffd81a8361ea6aab2cbf0fd53db0e24ce7afd6bf5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
beb956bfdad2ba9ee7ac126c19ce3611

SHA1
7bef1acfea5304d8e1983ae0720e691fcb15a582

SHA256
9f3a4d28b288ddc184b16cafee8538d64ddb0a46f445972bc77cc19afe5cafd5

SHA512
7bedf8b8e8dea955553308f0d98f7749e92d537a3ceec36192edc53bee262253b24465cca35c3818593ef0d3d824df8d58a7ba9800d4ae8ae9899df27461b6b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c5d957ce1626f9973cfaa1b8639fa0db

SHA1
dcd1d1bf5e2166580373affbba208e867372a123

SHA256
c29155f0fe83a4f798bdd490a3fa12b009f5e5282848a66451947351076909ab

SHA512
a7d94a293126cbee821d30a2be6ff39f2d49477e7a2da2faa08f490895feaa6df62bc2ff78c81d5c9e5b37eb0d19e371bd32471f926349a898aab7c76f8cdbf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
54efab9e725cca9f06e8b347740eb482

SHA1
9815ad892bd042da40e6324f1f3b9ab16d195882

SHA256
bc4aaeeedd9e651b2597b7735fee5656559f6980da5ee65a3857cd18b8c50542

SHA512
acb461b8362871983f0a46a69ae6e36097f2c2533d7502f21251af4c90a6838b96f4f26f2563bb04833f7b8fae25d5bef42f7dc2177a8f6c588e58b7fafcb16c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
22418a8a20e7e7c24f695f20c8ef30c2

SHA1
495a2490202a9f8cec42c3af1bcc09dde654fc5a

SHA256
9f6ae3c4ed91d560893b07953d7f69ea77f2a0eb93360365ec874c46fadd6f01

SHA512
bd14af4bbc00049b9021d99a2ed319edcb0724a6f2ed7357a33e7a2aaf05ef853998d911c408e89d6bcb71538dca1c00bab898c974e5bf8d870eaf33a4443e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj270A.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj270A.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj270A.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj270A.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 869225.crdownload

Filesize
9.7MB

MD5
fc8a5ea90960ee75530df1df034441d7

SHA1
b2736b7779bf6fec36f119413fea0efde265ec21

SHA256
33b317a11140e2080eba4fb94d12d64ed399cd82a056909f6561f51f5bb6cf64

SHA512
54920132a1655659fb71f2d53a9fca56c728082b1555d34e4d988fd27d87a9a6c9b2ac63654ccc5082ef478e85f9fe4fc8ec4c20cc8f3f3be80fd05436fd525a

Download Submit
C:\Users\Admin\Downloads\dbeaver-ce-24.0.0-x86_64-setup.msi

Filesize
20.7MB

MD5
f06f49c93e89b41f536186a31ce694f8

SHA1
ac84dc86d4c64d4c7121b2edbd72ac1f5c1606a9

SHA256
fa13fb864a2b05fcb0b1f2eb12cb0c2aa114d1914a8e93a653e6ec3e790c245b

SHA512
fcf0ea6d5b7f01a83aa809030ed7495a3d5d6a6616b046de47702899067fc3e9da250a1baf432839ef2d3293a26984534cf2f9680e27d45ed08b3d926b462013

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
5.1MB

MD5
002b925a56fc49365dc495d887fd8a4e

SHA1
2ee4a4304ba9680735ac76dbf4e58eae030a971f

SHA256
0e46fd722e8498532e46b73130c8d897e07b64eecb06b4d5f849bf8a816b7c0c

SHA512
99a81266d72ed0e7b9ba2ece5d718930726b8033823e2f23e054d9b6a7f54ac88c525afefc64d68be70428b0be48c166cd7e8715ecdd40a73d14f4464d57f9e9

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{879d7fd1-715e-4456-b692-b617f0b940b7}_OnDiskSnapshotProp

Filesize
6KB

MD5
a7a0bf23dcc15f405d0ecab0ff1a9005

SHA1
ee3cb73bbadcf8b547b083508c4de332a95c7f3b

SHA256
e5702fbdb929d59a9ad3119e76e33694b6dc042b526368b705ab3603a4c5ab64

SHA512
0fbce76909dd08b909a80cf20cad53e0adbd06a071aa4ddac67bf55713a45725798305f6d1a44f5967a1b7b1e6ab43944722bd7c52af35a8d5c2fac928267132

Download Submit