hxxps://www[.]macrocreator[.]com/download/

Analysis

max time kernel
300s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.macrocreator.com/download/

Score

8^/10

discovery persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET9E8E.tmp	RunDLL32.Exe
File created	C:\Windows\system32\DRIVERS\SET9E8E.tmp	RunDLL32.Exe
File opened for modification	C:\Windows\system32\DRIVERS\bddci.sys	RunDLL32.Exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	WebCompanionInstaller.exe

Executes dropped EXE 5 IoCs

pid	Process
5532	MacroCreator-setup.exe
4728	MacroCreator-setup.tmp
2132	WcInstaller.exe
5180	WebCompanionInstaller.exe
5808	DCIService.exe

Loads dropped DLL 13 IoCs

pid	Process
5180	WebCompanionInstaller.exe
5180	WebCompanionInstaller.exe
5180	WebCompanionInstaller.exe
5180	WebCompanionInstaller.exe
5180	WebCompanionInstaller.exe
5180	WebCompanionInstaller.exe
5180	WebCompanionInstaller.exe
5180	WebCompanionInstaller.exe
5808	DCIService.exe
5808	DCIService.exe
5808	DCIService.exe
5808	DCIService.exe
5808	DCIService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RunDLL32.Exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-time-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\http.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-sysinfo-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\ucrtbase.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\scan.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Ad-Aware Web Companion.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_stop.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-filesystem-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\BCUEngineS.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WcCommunication.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-synch-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddcihttp.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\de-DE\WebCompanion.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\lsa.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-memory-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\OnlineThreatsSimple.dll	WebCompanionInstaller.exe
File created	C:\Program Files\MacroCreator\is-7SFM8.tmp	MacroCreator-setup.tmp
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-synch-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-utility-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-timezone-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\concrt140.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_reinstall.cmd	WebCompanionInstaller.exe
File opened for modification	C:\Program Files\MacroCreator\Resources.dll	MacroCreator-setup.tmp
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\7za.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionExtensionIE.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-libraryloader-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\vccorlib140.dll	WebCompanionInstaller.exe
File opened for modification	C:\Program Files\MacroCreator\MacroCreator_Help.chm	MacroCreator-setup.tmp
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci.inf	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\x64\SQLite.Interop.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-string-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-conio-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\es-ES\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-processenvironment-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_install_boot.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.IEController.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Search.exe.config	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-localization-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\OnlineThreatsSimple.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-localization-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\rpc.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.pdb	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-file-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-filesystem-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-locale-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-heap-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-processthreads-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-synch-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files\MacroCreator\Bin\leptonica_util\is-956BL.tmp	MacroCreator-setup.tmp
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\ICSharpCode.SharpZipLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-interlocked-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-core-file-l1-2-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebcompaionReimageIcon.ico	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\it-IT\WebCompanionInstaller.resources.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_stop.cmd	WebCompanionInstaller.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1612	sc.exe
3780	sc.exe
4524	sc.exe
5600	sc.exe
4280	sc.exe
6020	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pmc	MacroCreator-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroCreatorFile\DefaultIcon\ = "C:\\Program Files\\MacroCreator\\MacroCreator.exe,0"	MacroCreator-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroCreatorFile\shell\open\command	MacroCreator-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroCreatorFile\shell\open	MacroCreator-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroCreatorFile\shell\open\command\ = "\"C:\\Program Files\\MacroCreator\\MacroCreator.exe\" \"%1\""	MacroCreator-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pmc\ = "MacroCreatorFile"	MacroCreator-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroCreatorFile	MacroCreator-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroCreatorFile\ = "Macro Creator File"	MacroCreator-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroCreatorFile\DefaultIcon	MacroCreator-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroCreatorFile\shell	MacroCreator-setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	WebCompanionInstaller.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	WebCompanionInstaller.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 587542.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2016	msedge.exe
2016	msedge.exe
64	msedge.exe
64	msedge.exe
3604	identity_helper.exe
3604	identity_helper.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
852	msedge.exe
852	msedge.exe
4728	MacroCreator-setup.tmp
4728	MacroCreator-setup.tmp
5180	WebCompanionInstaller.exe
5180	WebCompanionInstaller.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5180	WebCompanionInstaller.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 3156	64	msedge.exe	88
PID 64 wrote to memory of 3156	64	msedge.exe	88
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 4708	64	msedge.exe	89
PID 64 wrote to memory of 2016	64	msedge.exe	90
PID 64 wrote to memory of 2016	64	msedge.exe	90
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91
PID 64 wrote to memory of 524	64	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.macrocreator.com/download/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa98c546f8,0x7ffa98c54708,0x7ffa98c54718
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
  2⤵
  PID:616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7180 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11365341774498893691,17197715228503146612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:852
- C:\Users\Admin\Downloads\MacroCreator-setup.exe
  "C:\Users\Admin\Downloads\MacroCreator-setup.exe"
  2⤵
  - Executes dropped EXE
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\is-N5K3S.tmp\MacroCreator-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-N5K3S.tmp\MacroCreator-setup.tmp" /SL5="$90226,18142099,780800,C:\Users\Admin\Downloads\MacroCreator-setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\is-S5PFC.tmp\WcInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\is-S5PFC.tmp\WcInstaller.exe" --silent --partner=PU210901 --webprotection
      4⤵
      Executes dropped EXE
      PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\7zS458E157B\WebCompanionInstaller.exe
        
        .\WebCompanionInstaller.exe --partner=PU210901 --webprotection --version=8.9.0.735 --silent --partner=PU210901 --webprotection
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5180
      - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
        6⤵
        Launches sc.exe
        
        PID:5600
      - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
        6⤵
        Launches sc.exe
        
        PID:4280
      - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
        6⤵
        Launches sc.exe
        
        PID:6020
      - C:\Windows\system32\RunDLL32.Exe
        
        "C:\Windows\sysnative\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf
        6⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:4676
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        7⤵
        Checks processor information in registry
        
        PID:4580
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        8⤵
        
        PID:744
      - C:\Windows\system32\net.exe
        
        "C:\Windows\sysnative\net.exe" start bddci
        6⤵
        
        PID:1156
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start bddci
        7⤵
        
        PID:3868
      - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" Create "DCIService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe" DisplayName= "DCIService" start= auto
        6⤵
        Launches sc.exe
        
        PID:1612
      - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" description "DCIService" "Webprotection Bridge service"
        6⤵
        Launches sc.exe
        
        PID:3780
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd"
        6⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start DCIService
        7⤵
        Launches sc.exe
        
        PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2260

C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MacroCreator\MacroCreator.exe

Filesize
2.0MB

MD5
ee8ca3d88b0d80ad5e0bc270bfbdf507

SHA1
ea91d3c7f056e92c1cc45d021c14bca3b7a43673

SHA256
711a8ceea0ae52371394b35a00d0b57893e4abcaa29ecd9e34ba86fae93c9277

SHA512
119a3bbc64eb137e31d004cbb6aab25776cd1843acf5504406b5851f4844ce6b574ab1145981a84d9b912c6331ef04429a87668ca3850a364d6141252dc244e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
73c8d54f775a1b870efd00cb75baf547

SHA1
33024c5b7573c9079a3b2beba9d85e3ba35e6b0e

SHA256
1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94

SHA512
191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b206e54d55dcb61072236144d1f90f8

SHA1
c2600831112447369e5b557e249f86611b05287d

SHA256
87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b

SHA512
c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
62KB

MD5
daa01cc5a9b8b3a7730d8c940015554c

SHA1
6d3091870737fffb408000a4664c8a6f088b5cf7

SHA256
60dfc7c4f1adc5282ff9d3a0bd9445b59874ce5e123226d3d6f5339d1b998a6d

SHA512
7de57bc1ef544432cd0cf5e27b87fd19af248d2adde11b9b0b7f1cd5e762fe8ab08954344027b7fe32a62c142ba8411e3db42df87ed47a009437aaa511d6246e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
00d38773344c909647a2e44f02fbb42d

SHA1
0e902cbc7c6a04adabd6040b1f6269fae6d4e4ed

SHA256
6f3adaa09c4896f01fcfc79304c27e9905e2d044d76400d021b4a2b0925404cb

SHA512
0fff1fdb5d36cdfd99ea669d95a4746f4dd5da711d6ebe4166a31b0e50d47c6d1103e5b9f8523ea3bbd34942f9313e16fd9b78da00cb33cfb701020d6bd64096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
eae18b638d8575791702cbe7b6bfd504

SHA1
826e4abc1e60556999c31dc268548102ae0bfa0e

SHA256
95ba82c1982ea4a00e7298e5f23ff7ad80e6b49f778d653be156cab34c878efc

SHA512
b542450dda9d0c2cc39b124fad8a97c9d2482e310b9b5c47c8fd98f65c268fb5499878837aa6728ebefd913723d1917f83dc12d7d57742acf9b4b13b5767922f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
a5c938b3467abb21916b52e305d1f515

SHA1
f5ed211a3bf236dfab3b2c1f20a8e19498272aec

SHA256
8eac8a0e22d26abdea1d001c6f443b0a99089696670528d00dc38873dba0e0be

SHA512
ace35382e884506d98e36e7449a2d4128a94355898802214fafb359833ac3f7c23d3db15716c5d4a0d23efbd8de378b55bb61e70058b1b57b44e7bc6ad36770b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
f21f9e9d87267bc14bc6c57fbae6ee42

SHA1
570a4f5ed27a05d44c20fdf911b98750bca405a9

SHA256
46082ed7c7d7cf971a1d2506fb9f3f1f985151669e387a26df763a81ebec9834

SHA512
7ac50627d89e67f9072fe1803a163db3a31255ebcb8fc9d5875fec5a1fbcd5397c70eaa5a4355a4d5f7ad768e007d5b2a404e364e820a4d0c08ee06cac69bcfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
ab5b3bd7595986a9cadfc5425e92df5b

SHA1
0acedca82ca1ebc9bde90ec90dfad4393a7d4a04

SHA256
1ba8363fc626bf47d3b55bc195eccb3c0f992b73b0072df57a66f0e518273736

SHA512
cea7acf20dce91feb447a17aa132bd5c9d54ef54f29e1bacd584f5d3e25865e78dcc013cf1e882526eebf28cc96c4fefbb499086a2cfcb76c2d32f415b649e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
047d6d1802dc80d135a46d2dd480e5b3

SHA1
7be71c2ad0ebd9f567f6487b210247187b3e23a6

SHA256
0e52192ce54824afc2050a46103a8713cb48d9f55d001b5d188a099c043df2d0

SHA512
920cdfec072f9325e3c2e17a8898922411282faca979f2eb9b67926a0874cc74f726cbaeed07f5db39e2dacff2cf3dc9183a7ef002791a7bbfabf8af2e63163d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
200063ac8cdc63d5596e43b583480a2d

SHA1
cc350f169a889a4f42d55e160f208b5ea81f4711

SHA256
2987d134add4fa85f2af7fb8f12901f9fbe2facf4c0f3ea0e066b1b0c81987da

SHA512
0ade705a4b6076c81508e603f3e845c85951d6fc17480fcefcb52f0dd839e893b3aef41d6a3d5e0c559cc32f5803a6545a984d04f9056aeb69b811b8089ce765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fd09685cba8e89cc637b9b384f8f8875

SHA1
6d850c831b4dc65fcba4da555dd4cdf9fba67ba7

SHA256
35a7402ca49b91b194a91a93ace95c91c4b03cac1a160e74979b3129eb1434b0

SHA512
5a8fe562bc906dd9f6d4d605c34860508cc5c365145f3d5c78dc036d90ce76edcb0825f8976615fbd767d0fcdad452510014bd19d9dbac314212d0fb27f1f587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
f94e28acb061b0078207941e903af833

SHA1
6ed920044dc071423ec540d23ae6f5128152cc3e

SHA256
e0dde2178d056ecff21cad8e568fa36ddbbd7b61b441ee9f3cfb4e3760409f7a

SHA512
db90f062b6c57dfb2ab209ddb12d9e268664bacc9a7f521989256ea15ebbdbe6a2cc7859034fa0c34e1f6cf0c4f11f19a459acc4406b13357d7948a5def3ab11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
59335570a806135ba294ba6bc5ad932a

SHA1
6f3f06e0d625ef7e4ac2f868b394947ea65d9a08

SHA256
2ef2ae4ed594606bcf605d61c6cd2c4055cd0957a264f8b97ff009eea1634f92

SHA512
d8562e222727e1d93bd7ced3a672461cc6b2fb6967a56416efbcede6c33c2bb439d454053801da975a4cb3f86fd5b3001341990c534db1f40242611df2e8da7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
17a9644f798ca7ec482e8785fb300ed2

SHA1
dda7e8549071ac8319609f65e6ba88ec010cd98c

SHA256
977b4404a0cf2f405fe24cb352bf19376cb663a3014068f3b464e2b1c30dafa8

SHA512
314d54c7625240d83d61069c1fe57f41c413e746f83a4a2a9ec4751f32ddb6d7da3d9b374a47d4acdd9f002017222d1cd08d8accb889b7808ea9778b91c1bee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
9c5e66ae4ae2ec991c4458f296d92809

SHA1
dd4514b9b14f7cd194f1c53d06a9273d9e2d078d

SHA256
1466e36c2a4c73c2a108fa813683cfe8db3f60b7afac4df4374d5039fa20601f

SHA512
b86065c13f502be2de6474f6b0cc5431e5af037aa3ff860d9a68c87e3284ffed864016428f46682be9f7b42d55419c8417fd440104b0b7dcfc2d72cf36ac7965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
8bbb20310e2e4e03d7651fb9d51d88c7

SHA1
1a24eebdbcf3dac3db46f13acf87d5e7928e0503

SHA256
d2b4a7bd6731a2e25aab8aea9f3bd05172217c5a3360cafca4e9afbb0821216a

SHA512
d64fc8fe1352dc7b159c2f8bfdbebc85b04f8dbcf92d225de27c76e7ec469a684d4f67272c25e1d75422bd4ae6a95791c92f85efb4b2a9924c19050cad83b021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b82a913e8daf39c7cb8cb1ae2fc50f13

SHA1
6bd2b076928e44c6adb6cad5ff4e4a81ca39b4fd

SHA256
f8587634aa6ded492d3e13a99fabfaa1dc2b27cbf2eb99a6bae359cfe6b8bec1

SHA512
f734193b2356e92a69e336c1dfed30c149d28e8a0a8adbbdd92ec50e5e16cf348127d2ae67e68cb48d68f5412f570efbbeb5c03dcd1f47dbec1e25f0b268eb3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
873eb5411ef0bdd26d87262d0dd25f51

SHA1
eb5e9a91a2bc43440d3101a0250b3480c76189fe

SHA256
f0bcfcfa75847dac57a498d8860a91e5c031b2f87c95bcbd7bfb3b6552152ee1

SHA512
66e1734c7242a58013f46306301974accbacac4a03ed7df99477aa09fc48782c37b2cd72dd4cdc64b2b86b32ce16d137f3908bbc7f3c78335a29ffd328a2eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e416.TMP

Filesize
538B

MD5
b0950a6923ea070c990cfcfdbc539fd9

SHA1
0480d5060760bedd92683785cb4131da0002d0f1

SHA256
78d824d8b194a522be800cd75376ab6f28d7da6de080eacc0a6016a710d3beff

SHA512
2549591ae91f8e00013ce30cbea9371210a79dc90283974843969cc04cae24a5e1742cbbd6d2e7da01b30e32d4e1f417968a5f3a5643d1fca132007ad308e993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8fb295fdf5c31462d1fe86727b7a1320

SHA1
9f50ad185d15c0214f2fab0d71707d3949117602

SHA256
e4c70e31e34a177be3d9e94250307a7372fc86f060951461f7edb319b611146c

SHA512
88cf8fd298677cd92521ac8fc8a6f980a5327cb2cfd56772f71ba56bea018cc9708fb55b63fb2d09b712ffe428ef6994a26e11fe22d141097a49656201dd7d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c0d3f2fe7c76a8e7fe5ad3e2e58bc082

SHA1
09ec7ecf5202aa3a96b025616dfcb0481656595f

SHA256
224e1020033edc398563f146aa94c71a4ec5e417281ffca6dd36d70ba7fe4c51

SHA512
59bbe2d499d817e86f9ea49b1932c8c687e48c415e00af56298a2e05259516d907110f73655abb901e36b002f56bcca2cc6e11e54d4fd52f59e18f54573b1ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
49dbe4ecb05e1b358f72bdb50cceaee8

SHA1
277863844975b48ecfe6338d60294666b1436ea7

SHA256
c63e8fb24099a90a25b07b639e7122eab52def71bfbfa9ca103d1e718c7af7a6

SHA512
835ae426b56c8fffdaba7009f5051e30805af4efece68f4ec589c66e9bbcd01c0bb161a6731da823f841046cb9738ecf5ac58a2382943bc41a82ddad5377aea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS458E157B\ICSharpCode.SharpZipLib.dll

Filesize
208KB

MD5
ccbcddd4b92378ab55e2937ad12335c8

SHA1
cd55c595c32c53732c883d9f6382219c0a6651f9

SHA256
a28158c4f12e4e678088101f6ee38deef3100deda7f36efee25064b1aaa6952a

SHA512
a6cf28c3c786666103ea620f582fa660042d8cbf283ee16632b4b5e94d8339dc229c7e5a36cce73ac1e07e61aa0e5bacfdbe005d2a782c1baefc50b4c2ff5070

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS458E157B\Newtonsoft.Json.dll

Filesize
428KB

MD5
1d427ecd8307c94b7e613864489572ad

SHA1
022bc5428517ab680c36d49f4eaa0e25354c2245

SHA256
7324d07644567cc1061f8517cc0022bcdba0207e4aad3f6cfd1c30b1d5612436

SHA512
fc22a053ae4762258d33d2fe4039afeba6a9bda9067b3abf5dde2a7f65775d3ea899aae57e15129267e0eb0a29ac9733ade758ab360f87fa9631de8e795c6613

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS458E157B\WebCompanionInstaller.exe

Filesize
456KB

MD5
beea6888dd478aa96e02eef84ee1981b

SHA1
23a652a78aeea00c9ee54e78fa9cb0c28b5f108c

SHA256
fbd7bb711c7e1ee32dc881b23c4fb84af316d37009059c7f2c82ba969e8aa866

SHA512
093b8aef7d3770285c121f7e67603dcad936f78fa97f54fb1a9fa161c2ebab0f5ef0ac1d7bfbc49e11e320c63efc10c243cbcac95047a2f6b45cf2bca0b98fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS458E157B\WebCompanionInstaller.exe.config

Filesize
2KB

MD5
2230b0a8e1a10946e7d98c9ee5d68cc4

SHA1
b948251c589f2dc1a997eeb7416edb7ca1b3071b

SHA256
a138cefbc5c694743bd71869b0abe142f429658086a2fe12f53dafafdce4aece

SHA512
6cbe4348f57f7e123e428b5665126268aa699b5039eec02015423bcb05beb99bd3ea9fd78c1f6df7bd3c1fce1dd1f8556744051e9d920601dd7d7c222ff72f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N5K3S.tmp\MacroCreator-setup.tmp

Filesize
2.4MB

MD5
8e3cdda3995f7b3d8d767dcab639fc50

SHA1
fb307b41b37d647740a87188d54b09289155c996

SHA256
fe9992be515a76718875578e8ff92a79d058fe9c13c5748defffb601c3c55a0b

SHA512
599630ae3f2b7a8f4d84f019b5b40dd17e7ced49397f1a9dcd02c319e5fd65eee9ce6a07d1d0d945856c73b1e541e7acf940cb142708e9ecf875dcc3eb738639

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N5K3S.tmp\MacroCreator-setup.tmp

Filesize
1.2MB

MD5
bf3c82cf59b639ffb17d442255fadd9a

SHA1
a06550654b147d17b2ebdcaa7a922f3c53737df1

SHA256
414bed98f544092ded2c83fa640a56a9989845cb883a647999d9e20258d25479

SHA512
a2f1950d87e2cd7f47193e39ae5a486863d414137d365df7481cc3167bc94eecc6451ffd5f71e17fa4a0880fa84f8d8b5241d9664e96a29088fe510a31efc303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S5PFC.tmp\WcInstaller.exe

Filesize
552KB

MD5
be7af067d2cac5297275b54d8f3ee7c8

SHA1
1d7f7219e7faca217b918ac531aaa7d71f307c4d

SHA256
6eb7fd8d30dd77f7b1dd92f45a5f2832d4aee9b95ff117ba410486d5d9454d8a

SHA512
dd49b0052bdd9f88bdb3ca9f6def21797b35da48f5d78741f6eaa31a1c4459b6bccf8918275c2838d13369f186072e36879796e692cdf5d28ea7976887aaf8e8

Download Submit
C:\Users\Admin\Desktop\ExpandBlock.pcx

Filesize
700KB

MD5
2f99848b6ff338b912b55ffa5b8e7a60

SHA1
bcfb3b13935e3c06ba454b21f3895d2dceca3a33

SHA256
bd0d6a2a3a49485b9e6a10f4c6ba07d25e49ed7b85e30e7d2efd9c1dbbea8791

SHA512
4801bd88eb49f9c77cd265bb55dcf13cc34a0edafc9265b9f443dc84d5eb2850de7db6e0980247a118d933b56ede36234b1401e10cbdce3c97796abf203d5918

Download Submit
C:\Users\Admin\Desktop\HideCompare.vst

Filesize
454KB

MD5
3fe03ba9a1507b696e5d1d8bb2923d8e

SHA1
4f73e161cc9d065c6f490124a2a8abac048675bf

SHA256
adbc2c03e053a9fccd756aae4fedc8ae44715fd43b7bd67a3424b7aeda31d719

SHA512
26450127b6fe2c4b96daccfb11b2be8edf56523b821338b8212542dbb9bbd5f42b95397e7be148ebc764403deefb44f32c19298db42a95698b2990d144ab07bf

Download Submit
C:\Users\Admin\Desktop\InvokeUnlock.jfif

Filesize
602KB

MD5
379d3fd0204009b53b0bc195ffe006e0

SHA1
7b21222d568310f3a5a0fef04a87b4f289d88f41

SHA256
428be6e0b94ea5d5147c46e85be9d3109504e3b33f6672ab608900c3c9e0ae4d

SHA512
5e5a8612625b514a83b6edb080652067d8f361df7d98c0ab1f2aa775d7a285aab91abdd39db28b0d6ca106252e517d5957560294cb99b0b16435a1ac232b3f2d

Download Submit
C:\Users\Admin\Desktop\JoinUnblock.iso

Filesize
331KB

MD5
8399c10eee482a24080235e197bfee8d

SHA1
7a9ef478ed99338621f00e76d9683dba85a9b2d2

SHA256
154e6d89c6901e169e22b684b2d664b37048a009a059334aa9af44c2624762ec

SHA512
f10de80223fd75cb7f7d44e06497e95a0c4f01c60b563ce96129ddd73f33caa775e87d86017eb871670d8cf448fcf93035ebe9bce348fd71fea45c6109b46e99

Download Submit
C:\Users\Admin\Desktop\LockLimit.vsdx

Filesize
798KB

MD5
2420b103fb6780adbe24a761d859e7bd

SHA1
7d670dcab6ae476b35dc247a61ffe66e33da47fd

SHA256
317cc6266c53869a422869f5eec2318bcecdfd0b23e654ae77c738c26e3ebf55

SHA512
4ba8ce8bdb3c1448131ccffe7a56a5006d8dfaa258a4a956f0303032b26e6c31525082fe3e5746d164a99a8523053f4540c56da493d92040ebf3b40beab1c1ac

Download Submit
C:\Users\Admin\Desktop\MountSwitch.edrwx

Filesize
577KB

MD5
2aef26b860db9beec1198b6c715a4809

SHA1
6fe331d3002222353cd5f73a7e6d6b8ca8555885

SHA256
cc867e6aa6c6456fa692c4ed7560371193ae7172cba71c39690927da3a954698

SHA512
46ad075a82382e748b4a5724a06f8622a545795294a7fa05fe98f77938d10fab71de20f15db0a690f20b1b3393b6e1ff146ca742b67ed50f4f0dab7e23a038aa

Download Submit
C:\Users\Admin\Desktop\ProtectExport.eps

Filesize
1.2MB

MD5
c98d70c9e3c3fef67dc5e82a13b4b0e7

SHA1
58ba2503c8e333cc4297083cf409dc3293abf6b0

SHA256
c91ef90fbd20ea2f1bf560e6bc62e3f1672a01a116cb67181bac4c4c34fdb5b2

SHA512
a7d022b782f3ad0182091188ed04ad7c9e673f45ddcdd6d8a1d6854475e516d7ff9c1c878e0e1eddff7599095ff38cb2fef3b8c52c3726097d96097a1e09befd

Download Submit
C:\Users\Admin\Desktop\ResizeUnregister.wm

Filesize
847KB

MD5
23873d9bcf9a33409a6c4f91186994a1

SHA1
885e25629b456eee8979b4abebf8a6c695ae7583

SHA256
d0b208fd7d3dbba15f43d51fe47b4d034396c5c48d08a5f545f768d0a66861a2

SHA512
c0426c1fff20a7be65f447ba4910a0a29cbbaa4a05efabaaadc727d0f14aecec3405633ccebd9ada8489a759720339080d28bb05baf46122e241b85083aae35a

Download Submit
C:\Users\Admin\Desktop\ResumeReceive.rtf

Filesize
651KB

MD5
c2aed421ef74e3b3238a5ca6a003497e

SHA1
87f541d190b76a4e9ace71310c762e825c00761c

SHA256
c1453773b2a7f26fef8afb92a383ee4f4be02283ea73420b4a6f9e722a0f1a16

SHA512
086556231464b7c3948a32830c78ed067831db10171e6591bd459a0406dc445eddbdb3d5f967ce95e91e83977b12ad704d8d1d119e46554d94c5e34754a2173e

Download Submit
C:\Users\Admin\Desktop\SelectShow.iso

Filesize
626KB

MD5
2dc95d255481722a7313209e49408b90

SHA1
5fee980232e16057ac3f89071b615dd86c0ac7b0

SHA256
03bdd492b6b05a1896674734c768895fcf5f94fab81ec976bdb6947a69d1a092

SHA512
a06d430b4f3e6b8b07add90084e1b9e0229d033c49f803ae9ded740aefcac295481a68ee8427aeb0db95ea9a99b2ada81b1f9d873a655bfc2ae69ab88993fc1d

Download Submit
C:\Users\Admin\Desktop\SelectUpdate.mid

Filesize
552KB

MD5
ca8bd37f0fc4406372fcc24143c090af

SHA1
b2cb331cc9b05525715981900e560bc796c34135

SHA256
564b007c6a94a4cc1cca9e24ce70b96b2a6529ae3cf8967b472797f061bdaf2d

SHA512
89945c925d71735604c76c8c6fbd0cda301ad76b2c8a00f12f79fce5c6d2500f95f52917a2acc8bf8c325b5875a72e2ed004f55bdaae33d04e40bdfab7cad5f8

Download Submit
C:\Users\Admin\Desktop\SubmitRepair.snd

Filesize
749KB

MD5
f65cf56d807d804bb70459d40b453fef

SHA1
ca7306276317541c80f0ea5ba3a90615303b2042

SHA256
ca6e0fafa38f3513fd3612ada08db7ae8836b6926a7206337d85183012ee9778

SHA512
8507a70e3e1b3f7537e542c6e3698d24772c3358d924d8990803de518c6165394a83b79790a85a38eba2d62f9c0f983d1105ea18ed730dee44c1a3957aa1d50d

Download Submit
C:\Users\Admin\Desktop\SwitchComplete.dib

Filesize
528KB

MD5
ef67dc61af8df91dea5f3b5c6d7e3f00

SHA1
a0b77b89ca6d5e92e045a28811ad81eb8dbabfc0

SHA256
c95dfa6df61e9d26f385b08bda13dc2aba6402fa38fabfc9e0ebc3d2bcb3e31e

SHA512
a101910070cc860dbec9b85a576a593fbdca376fe82a7fa3eddd709ed5caec93d7c1c1b581966b51848cea32ddfa1cae9d0823ec9848915911c21f1f77cf713d

Download Submit
C:\Users\Admin\Desktop\SwitchSave.DVR

Filesize
380KB

MD5
eb5ba6cf83d199cecae913006946eff5

SHA1
4598ff0853e83be3c26e8ceaad09a766c3df410b

SHA256
1c081308383aaed858386ef6bb0cb319d9a6fa53a9d67c1ea2d68d5e51048656

SHA512
ca4b47b6d5ae1ea537758410a33f6ca667fd6f6bbed1e41327c85ca7295310ce8cb0ff317718002de2d58c55a892976e45297141b741abdd60b6b880394c39c0

Download Submit
C:\Users\Admin\Desktop\UnblockDismount.zip

Filesize
823KB

MD5
aede4b7155c266611803756f126c16d1

SHA1
fbdcdb6d63030e717dc1d0024c512bb279f28abc

SHA256
cfabd376c88b0bf928f0b0468e340b70cc013bb1f190dbdbeb038a19202e3a82

SHA512
e57455ecf1513cefad781f547813105d92d08510b8e3b7e198a557911125481f3f06fda33cc0bef5eac8b49de914aad9ba0090dd9eea629a291cdbbe076f04fc

Download Submit
C:\Users\Admin\Desktop\UnregisterSubmit.png

Filesize
675KB

MD5
affbc38bd62e6d8d901a4fd79d08e821

SHA1
0939afb03b2e5792b88973094b48f957ab388e9a

SHA256
1fe860aa8abf705456a40996e344fb3b885d416e98ead64ae24335cc0ecfc7ff

SHA512
37abb285692ab421fbf9bb30ba69a9fcaf1e4214c7f2fb17236e2251ad4236bdd95970165f6f3f1afb84fd4cdab915c884b8edb38144b67325c5a699b429c3e6

Download Submit
C:\Users\Admin\Desktop\UpdateRequest.avi

Filesize
479KB

MD5
29feacb9e5bfba983df564fe45e3cf89

SHA1
c83676b531610d63240f0bba2fe147fea09522a3

SHA256
732bdb9c96c3bbd0c2b9abd75081bd43aed7a55dc524ad4e3dbac46d3d489a9e

SHA512
085e86e93c4976ed8a05f0fc5285ebea55e6a8a476358148faa1e3b8e0ba0a152a78ea957af61d15168a01a710919d9d00ad15d00e05a382349a9cfda0377ef9

Download Submit
C:\Users\Admin\Desktop\UpdateUndo.pptx

Filesize
872KB

MD5
eb3acf87840dc741092a82c4a715d032

SHA1
dfb04efbbd6f79126d78c1b024cf94efecee59c3

SHA256
a32fe266374966cbe1660a7653d8c259d95b065ef818a6129777c69df5574e2c

SHA512
5c34a0e2fa1a3c1a415974a7d53e720dea3d63326ec4a036b95c9c80b8bbaa52e3988b0db5cf4cd83575693f188537ca0a68b0a93bd3644158a33a99734bd08a

Download Submit
C:\Users\Admin\Desktop\WaitStep.3g2

Filesize
356KB

MD5
21a81c80bad0b39ca5d9d30f0d3b223b

SHA1
eaab3ccd09d13721cc695079e140174aba97304f

SHA256
4c0ba691719169e1ed5d9fab22ba62ac0b942496fe6b054b9be8a50d5f676ed6

SHA512
83ce8f24e518e64079401272da4bd6e1731f14f83011f8e76e7fe9b4ef93c0a4164d2b03409c0ae5fbff97042b603d24139b4bde1246576d9b6789ea14e2b65e

Download Submit
C:\Users\Admin\Downloads\MacroCreator-setup.exe

Filesize
11.1MB

MD5
2807a1c1a0a30d1041f3b806dcbdb29d

SHA1
0c3df7455b101fb5cea2b7bfed6f55e120b1a1a6

SHA256
6e0e509266a8fd197c3be9904802018b54e1e94439f29fa0053577181be65258

SHA512
a42c27b9811292fb364f719939cd9687dbba91f52ca5a6f068f59c2de3d8973743f356488a915148a6ca538a7f0c85114587af08e5f3b65824c1a68c7727c631

Download Submit
C:\Users\Admin\Downloads\MacroCreator-setup.exe

Filesize
9.4MB

MD5
649abeb29bb1b0da7cf4b5495bb0478e

SHA1
55accded4773d6aeaf7c06def92c7141d32f4d37

SHA256
7c79493e381f44b567ab0f6e778f2c0c7af5edb7a9656594ff4b4072959eed4b

SHA512
3b55cf9538a43adacd69a615e273f70d1babde9fd05504ee8f4c36ccb747067ff155672de5b74be2de62f2a06ae4b437ca74bd907a5899f0a6bfc4c32d1c7322

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 587542.crdownload

Filesize
18.2MB

MD5
93a1b47eedc7bec9d4b76d03da1719ee

SHA1
0be8c720dff7ab941ec79541c9b7769abbeabfa6

SHA256
92ffa6da0bea664f2499cfbec2a578bf882ed861cbb218b384e6af6ea589dde9

SHA512
43536778269c066bfd07f1c271acb9736e191e8d98e4fdc0800d14d22a99f95ced13e13e099de8226b3af676bb779e1b1c2eb10bc5279f59528eb3c6b39cc94d

Download Submit
C:\Users\Public\Desktop\Pulover's Macro Creator.lnk

Filesize
908B

MD5
b2ed2d9fb61e26223f276e2e8dea5e3d

SHA1
e4809ce5096f76d4bcd2c120cdde01fb86290888

SHA256
05531297dbcfd2264195c45da4134d9ce43c9b38194d0cf97a45aab5fe9cbf7c

SHA512
0b017a946108ae26da6118b031cdf39343cf42a3709f24e70fc7ab9f8613a47996717c707cc074d20af8a3b898759811fe06ebd0423a86aefd5ca9a641dd0156

Download Submit
memory/4728-608-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4728-620-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4728-619-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4728-622-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4728-603-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4728-818-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/5180-806-0x0000000072920000-0x0000000072ED1000-memory.dmp

Filesize
5.7MB

Download
memory/5180-807-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/5180-808-0x0000000072920000-0x0000000072ED1000-memory.dmp

Filesize
5.7MB

Download
memory/5180-1217-0x0000000072920000-0x0000000072ED1000-memory.dmp

Filesize
5.7MB

Download
memory/5180-1218-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/5532-597-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5532-607-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download