eternity | hxxps://nightfarm[.]lol/#

Analysis

max time kernel
303s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nightfarm.lol/#

Score

10^/10

eternity evasion spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x000700000002354a-670.dat	disable_win_def
behavioral1/memory/3376-688-0x00000000000E0000-0x00000000001CE000-memory.dmp	disable_win_def

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000700000002354a-670.dat	eternity_stealer
behavioral1/memory/3376-688-0x00000000000E0000-0x00000000001CE000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Nightfarm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Nightfarm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Nightfarm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Nightfarm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Nightfarm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Nightfarm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Nightfarm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Nightfarm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Nightfarm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Nightfarm.exe

Downloads MZ/PE file

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nightfarm.exe	Nightfarm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nightfarm.exe	Nightfarm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nightfarm.exe	Nightfarm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nightfarm.exe	Nightfarm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nightfarm.exe	Nightfarm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nightfarm.exe	Nightfarm.exe

Executes dropped EXE 10 IoCs

pid	Process
3376	Nightfarm.exe
2236	dcd.exe
6024	Nightfarm.exe
1120	dcd.exe
2152	Nightfarm.exe
2740	Nightfarm.exe
4696	dcd.exe
1540	dcd.exe
6044	Nightfarm.exe
1036	dcd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Nightfarm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Nightfarm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Nightfarm.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133658824756236123"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1403246978-718555486-3105247137-1000\{CA83844B-36CC-45E7-A351-23F4CECCC3ED}	msedge.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2744	msedge.exe
2744	msedge.exe
3432	msedge.exe
3432	msedge.exe
4260	identity_helper.exe
4260	identity_helper.exe
2708	msedge.exe
2708	msedge.exe
512	chrome.exe
512	chrome.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
5248	msedge.exe
3492	chrome.exe
3492	chrome.exe
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
2064	powershell.exe
2064	powershell.exe
5920	powershell.exe
5920	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 42 IoCs

pid	Process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
3432	msedge.exe
3432	msedge.exe
512	chrome.exe
3432	msedge.exe
3432	msedge.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
3432	msedge.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeCreatePagefilePrivilege	512	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
3432	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 5084	3432	msedge.exe	84
PID 3432 wrote to memory of 5084	3432	msedge.exe	84
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 3256	3432	msedge.exe	85
PID 3432 wrote to memory of 2744	3432	msedge.exe	86
PID 3432 wrote to memory of 2744	3432	msedge.exe	86
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87
PID 3432 wrote to memory of 2704	3432	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://nightfarm.lol/#
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9d0846f8,0x7ffd9d084708,0x7ffd9d084718
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6192 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,62355634425539280,10200718018259185915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0x94,0x128,0x7ffd8bdcab58,0x7ffd8bdcab68,0x7ffd8bdcab78
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:2
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3628 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:5896
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:6012
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x22c,0x260,0x7ff68e76ae48,0x7ff68e76ae58,0x7ff68e76ae68
    3⤵
    PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4988 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2348 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1632 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2268 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3640 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2340 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3108 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4496 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4476 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1336 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5100 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3644 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4444 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3168 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=2892 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3104 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5068 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5128 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5384 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5328 --field-trial-handle=1904,i,16492743356177133874,5048974094692113465,131072 /prefetch:8
  2⤵
  PID:6084
- C:\Users\Admin\Downloads\Nightfarm.exe
  "C:\Users\Admin\Downloads\Nightfarm.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Drops startup file
  - Executes dropped EXE
  - Windows security modification
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:2236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2592

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5728

C:\Users\Admin\Downloads\Nightfarm.exe
"C:\Users\Admin\Downloads\Nightfarm.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
PID:6024
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2064

C:\Users\Admin\Downloads\Nightfarm.exe
"C:\Users\Admin\Downloads\Nightfarm.exe"
1⤵
- Executes dropped EXE
PID:2152
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1540

C:\Users\Admin\Downloads\Nightfarm.exe
"C:\Users\Admin\Downloads\Nightfarm.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
PID:2740
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5920

C:\Users\Admin\Downloads\Nightfarm.exe
"C:\Users\Admin\Downloads\Nightfarm.exe"
1⤵
- Executes dropped EXE
PID:6044
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
55a4205cd798b875f6f3b06924eb4c76

SHA1
0149f65c68e629f0e729716d25b8431e2fbd5bdc

SHA256
b51c48b6fc171bbf28afaf3630770680660a585478668d9f9344cc9161c844b2

SHA512
634fe6d8d21a87bb91962d8940759db63ee9df5a0e01e505cbcb830f544bfd0a1b91b8b8f55e021cf405173fc67914ef3c17f68c47405a93437330394ad12b05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
d2d78e110dccacb11438ae3e34554830

SHA1
08466ea23ec3a05d10fb989e3de8b510e99b9a7a

SHA256
2c380ec7c4b7a6b36d02281cf4a93271d31fef37b58e3290d91b0d26e6f8994c

SHA512
225958ac12d4320552a677e17459300b41f14b0f8906d2b12946065c92ee37fc27bf12a69816b45e6a1293f6e42587b4a776f2d53ea9d0b2dc9523cec5a4f9b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
2f3093bc83306e295d246ea809039d57

SHA1
d5a99da454fa23a2c8a6093c867c42367a8c517a

SHA256
0af7b9c08481f32b91c3544645cd544d5a9f6deefd96acde77139343bd535ba8

SHA512
028c0b9c8b8f9277674988a56391576bc7220b10099daa0ce089d981dd9e7e01cb99e758df26fa00d2d1f44268a9d21ae40731805217401d1cb52952fe909345

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b47d642a4553ce292ddaa93cb1a066b1

SHA1
b0eb793fd374fd8b32e5d209fef6aab3b52a4411

SHA256
4f464ffe4aae31bfbbaf549d59989122f8123c279eafe1bbf0cf258c4a6c6d8a

SHA512
59c50ea2ec29c00425141581498074be76e921cdf9f71182909ed5ae617b2821ae013bbaa9e01d2606d76874fbefe0988950d9722410da8e63df9c9218719bf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
702f8b6ab8bdd7062c85d32b6a0601fe

SHA1
069bdc86fb38f8da96d1671a46318288da283657

SHA256
d9e78f7c3fcb1d69146b09ccdba44ad28801a3899bf7ed36e0f51ae74334bed4

SHA512
d69cd67f17d084510402d7d9474928cc921beb61e07130275d0e7f425dc411be7b780ceeb4c53f0bc0f091022b16ff4ecfb0cccec16e6668bdf72500ac469e18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
870aedb9c62badd2a014261c72c23d9f

SHA1
50a13bc063e008970f47bc88163bc18b5ad0a515

SHA256
b0827b517c470cb401cb5b1044f18bc7746c5b1df99e9324fda0fd0e0453addb

SHA512
0a9be5a1225e50e8828d4ea76c0d2f260dc8ceecfd0ad6f4379114c4a3c5ad576c76f9c98d42ed79bebc9161554f33b95aefe1e08a0e9e425586bce14cec3c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
f791e657650996399985ee07179bb9e0

SHA1
64d37b77bc2cad06863e829499df14197c1e0ff9

SHA256
7faf28aaf62fd7ede3cf7c72206802b3f773ef2d8a927112691753633355d29f

SHA512
c827fe0644b7b762901aae441b2121fb1fd0c53ea0e2e11cd79f19cb6821dd7320e247d1bfc8f6b4cfd0d3c6aac92ffdbcbb080d0c157fd02e9e49b04cdb6a1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0c773367bc670b6c99fdb85dd20d644a

SHA1
98e7def69582a5f1c094051e41d893703f952698

SHA256
a80a07b2d482396db571598a32e7f14c8e6cd227a16335d341e382663688bb2a

SHA512
7d58cfd90cec35cadcaf9d1b8b33789d9d7e1858df285697554042f69ea4e385c3eba6bbb37090b5734e8e671792a2cb1d171bd84f3a758cef3802b8d40d2e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
942a91beb49ddcf991007f6145aafee6

SHA1
9201ed4ae59f02c512de5401205233de87258a94

SHA256
7f63a4696a7a9319afb0365f9e166dcfd2d3f98ad836c93a4e607f0f12c27130

SHA512
d070e8755981cb7ffcddb0d553c988b0f0fe4e5346368ab959ecbf92d6515ba87a39ad1807df21d18b877e4214e91596965473b81b3077c8d8512785937e57fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
46fbe7d53b04d6acd3354846e48c5753

SHA1
9f8a438fa8975643d3ded223334d7220acf93d02

SHA256
7b981354fc71c9b4c6cf448ea09f73d2de49854eb3eea73474ffcae0fcc151bb

SHA512
bf848d45b069f3ef15cd6f8d86c23334dbff0795f42677725de75e6037bed334efbc7f17bcd09bbbe8559cba0aa9d2abceaf2311178e7d19968bd9dd00e4496a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
35780477dc895e2fbe78876289336fc0

SHA1
31ba3a4e052623fcffe7f97b29473c2f7afec118

SHA256
7121e28e085a45cb7ee5351f5484574b7973c37dab5cb4102b09e3b42a09dbab

SHA512
6befff5618b3a30fb995b2be109b17465c4618a3d12f181c7d60afd50424cc7345e2375ad86d427a043a381d3075c2d1c79f5f90b21954d6026b4b95a3c54a3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b246f3154592781ba87ec1b3cf938a87

SHA1
71f0addd78b72768c1215ace4a37bb2a4b4ef015

SHA256
3352285c54d117a366d59e915f09608ba87b529b27dc8d0ad705045d2d904b6e

SHA512
042227ea80b31d149431d59ee49279ff808d42b9d7ed0ddd6aa32411aa2379d27047593a5e85688389ab7e507505cf1ee969c713c1a6a9ace2280453fe9f448a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f06a433bf31503a856fef0a4735d88cd

SHA1
b81271a202011b33afe30db1d557b74d1c7b0f1e

SHA256
6ca3c02be2315f8dc25f2be1c23774b8cffef013acfd6a0557874b5e971250df

SHA512
de3425402381192b9d2f4e6de3d1337c0bcdd921f891d987df6caf71e7d43ce4be24edd118959666a174d09e2b2931c4869d8416f8afb55a5f939b6b805a96ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
00bb684eebafbfd50a4b2cea96437da3

SHA1
aa6c009e742ad538813820ac9f799d6d4e42a5ac

SHA256
2f321e92f7f27917fcd0c0601e71f3a833519ef5395fae2129bc6d292460e7c9

SHA512
782589bd84505a8d261eb7aac3f1fae3250c7c639ecf1866e418b70f08eb529434785aef5cdafe847ab35878aede1d11dbec91488f5cb3c17c4d0efc47d5cc6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7a521752fdcd9df8c992a16d4a4ece1c

SHA1
1726e92f6a24e91641453d399dd976826d029827

SHA256
809bb42679c3aa201899fd4b8fe1fa0ccc63e322fe0be116d0166559db47a5d5

SHA512
db26dece998a61d128928bca3b20984cce64850e41a8c635a8d889cb4d1706dbfb692b09447296a3e8872bea35eb2556c0b65ef258618cc39c8069511c341842

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
637a634f5a9cf520facfa70d7385ce54

SHA1
ba13cd867235b467febc359d5f39d701a223f7c7

SHA256
a2dfb89514ad77804f664d4020e32b15361604a990febdce95d1e4f6016a919d

SHA512
bb17cc76099404c084201ffdfb1d366fcbc970a70223cec0244d7ddf6948e8621646110261f217873a7781a8cf26baec0ae4720d071b75ff4843d39a98ac2ddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ab20daddc58342514e0658b4a484e0d3

SHA1
a92573382aa85d69b3630e5eb19bf24f60e2760f

SHA256
0196c588597e268686fef5c2d8b94f81986802739f963e87d1636dafdbe22c3c

SHA512
79313e57d112d61e15ae59f177f8ef3365c22a5272a3cdd5aeadf73ecff273fffd69bbbfca6df3c8db28bfad8a7c5873dcf581b06ff58352167e989331f69f11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
56928ff5939b0eb4ad07f55e123fe8a0

SHA1
8d07622e28195ba3d143cf0864f6957ab2319df5

SHA256
288dab1e6fa144e79cc22782a5fd57d4c56f427f5b16fe50e478f78519d0ab33

SHA512
02f3b4dfa7924ec970ae2c5bd6d2a57c25e42aa899f1b703594cc02a3ba6817064940892586892ff0c41db36da9507305856509b212733ac82c5edad8d2ef9d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
288KB

MD5
d991102c2a139f5c54df8dfee5abd262

SHA1
45ef754a080092f222f0a67eb1e9b124f35fd109

SHA256
bc5e0cac989ffd8205c7116802007bd30e15a3ca7b7915957373b04ce86a1b68

SHA512
a820f384ca0afb97f95901f784cdb3456d248aec68ebb766bf286fa1036e5fd49762e19c910ace8c41fbb937cdad65bff2467d30158728920f4f09ca600c6259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
288KB

MD5
1415cdcf302dee0c2db49c6d4b26f1f7

SHA1
78d28fe31fbfaf88a67c2d296fdba90db6c8b6fc

SHA256
7e103cc05a03e54d167fd69bc49f9528494281e2dd5179b6c8e8b653941084ec

SHA512
97c31767c9300cd15191fc189a86d4b6fa3cce8d0e66808ee9a9b8178cc1420ac4e52daa103220fac5b571eadf600208d1e20b0c69283fb586ad6bc9691da5f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
288KB

MD5
b295dc35224f373d06b5cdf28277f748

SHA1
c293ea008c266c350538d233af4a1d49a55966b3

SHA256
59527458cd407eaddb35fffc878e089bccad75350d5e4dd6ba69d6cbc4707548

SHA512
32c154f04a6e68f7e95cbeb51c37367302dc4608963e2266969fcde3906aec2ce15f16694074313880ba12f198a45727dce497cee3eee1d9ab88a6b3b50f4124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f614079b5f07abb92c94ae3e1cc8d4fd

SHA1
7f7ed8fc7e6fb8d385ed73dd1827dfc47c55bf21

SHA256
780dad563f17b9a56cc0f128b4f7a0de1012a318aac16b491e8b49bac42e9b8a

SHA512
11c738a80b8005e81b12b9ff93a35a03655075faaece1a3960e1272d83cc9a1c0c08046e0251b363bbb22d5337f7abdd4a8e8db0993af1391ab981bfdc24c25a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\db33d814-7d4d-4df2-b000-171869bfe705.tmp

Filesize
288KB

MD5
87a928bbd0fa02418837c012a7545efb

SHA1
018ac912db798093c7a99b91d6f74e2cde43ca6c

SHA256
bdc70e37b975634968f7bbad5152a01a5bdeb4bfb0ec48d422323752ade0742b

SHA512
f58c40fc189d9989daa69f9915810a5db085243e507651688d8c16201c12b8e8d15de731b17c6a321f15f4f4ebbc298df72384f9a4d26f9804cefb8268052744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
210676dde5c0bd984dc057e2333e1075

SHA1
2d2f8c14ee48a2580f852db7ac605f81b5b1399a

SHA256
2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

SHA512
aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4e6521c03f1bc16d91d99c059cc5424

SHA1
043665051c486192a6eefe6d0632cf34ae8e89ad

SHA256
7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

SHA512
0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7f830d0a6e6f28c7326b8417b3253f5b

SHA1
6844713dc743729869fb4f8672fa4923b4ab0b5c

SHA256
bf4915b8c0461978bc38fd924fbfab54bea5f1f63a2e27dfb01be73b49424412

SHA512
e8c7566642038320c59ecffcabe43e42340bbb80124a68b4ed2cc9e97f2a60a953b4b1d42e3b68b7d4d3dad19c8df885f68f742aa40ecca3dd4f7d8fa0e17a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
764B

MD5
50ae1e3fc41471357140de0e69bd0bc8

SHA1
6107cd281966d3de7970df5df470a0e16df347fb

SHA256
9b20d309a73a853d43f154b7a3f4f6cabb53ca78a98b3f8033b904a81938a67e

SHA512
ab06499d95e3c6ea1af34c4f8f43f2819790fee02f229fab442de4ae6b4d319cee0f616ab117cd6298cded8a8a7b25a7d330462ddba60eff5d16adb1f4ee66a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
764B

MD5
74fde82d63b2ebc3a2cbb19a25c5c53d

SHA1
d3c664f55a7eb5cfdd864ccb91a18b76f1369466

SHA256
918b4d61cc2a081180333b657e06b188add7a429727baf7c7c50be52ee9adbb4

SHA512
adc3a8ed4500e58ccdc9d9b76433f5e9c233e0150e23607e0246a6968077359d926d40260dee9ebcff8dda40ce81db554f0d30897d603ed64932523ad7f6572e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
166275e60fe4a95c1bfcb56d76c11abe

SHA1
df29f3b1c75ccc709a0d87759912253034842617

SHA256
e4aecdf5a74216ae237b2c538f1a286ef16a8b9f01ec829899a85dfcd9ebdadc

SHA512
799903938093281e5c1f2c827bf2355b0c7e4e7ff84c34a77e37900a186e709738cc1df0cfe6d2fa68b5e8e9d1a55877c86e4b570609e34b41c9496d9d8a1ea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5647903388d509c7322ca90ef312e16b

SHA1
70cfd4aac899dd651d20226cd972401581a57b47

SHA256
779ded4e22fa2332df81036d756a52df975693f83e8623e3889039fc3e8c56a5

SHA512
f90101cb19c958169e76b342d61d7253b1ee146c0626ce11a28a9eb44842f13d406733f10fa237424662e48b73571ba3f806ebc5c1944ca9340db56573dd1ce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e79e001f0552240fe46992e7b7ea8b5

SHA1
d4cbaf562ab4527e3cc9c5a640120439ff8c3c67

SHA256
9121ae981f58eb0b3f925d40d5915db696777bc2a75592e13df35d30d4fe21de

SHA512
057dc75a0d35399dcecd934599c21bbc3c529e56bd86c4466efc67014199e4036d0399e8bd92688003717791efccb2cf84f055057960ad2fd3b1dd3cd15d599f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0643558e4bddcbe08c1facada76e6ce

SHA1
a4604cd7b72f755b2f8d8d122cdd16577d4fa480

SHA256
f2f35e009cbd3df03726cec1640756f46ab7eb5039b90550298b5b7f574d9a14

SHA512
956df1f144c55e5108f4f50ee444d5f1fee217e4e2666b982944cfe2b5ee8bcb545956284e23b871639156847f49763d1f4387d340663648cf5242566532d362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7545b966b6e6475729278800a979ff98

SHA1
2d2ddccecbb8e008da35b04f9df1aee96f4b3bd5

SHA256
d4759d565df4ca1bf8b70504ee2dc603bb81713af9adb7ca61088303e6bac0fc

SHA512
f2cb4267e2b730f5264979a2869174282f8ea834417d23fb3f3717f2b52f3ebb612b25ba08b07c88fb21a043bba67d02ff3b058b524f1017d184041293373f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f3c3214f12adf6ee188b38980eebf1bf

SHA1
24b22d4809b34ad77e354ffc6394f13925a4845b

SHA256
8cb33a20145bd60048ef068e44ec233423b692ff41261478a63dccdc9c746678

SHA512
7dbafc5122e9a784f34689a9401cb68418cba615f54bd16521478731c31e00c87a242d115e8a676993b467f911e6a66fc73f46b81412c324606e3b66b4101987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ed643160aeb5275a31f8a3a05c07dad0

SHA1
9dd271cdc0c9f43261245737a6e3335e5eb239e5

SHA256
6b66394d30cfd14a5e5da5945e057b43f990d9c6d418895aa0f8476ab43cbe25

SHA512
57301eaa15237ac479bc14706da53fe328ba58f833464a2ae9f407cbd249430bb6e325ea01478ff63c37973c3a8e5c00ad12e41f627b88941ca6eb954fccdf95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3bfe5271ffe89aa7c2ad8adef7f8e590

SHA1
233f66fb627c72bb68bcea125583f3186e1d4c2d

SHA256
61cf46282d6efa5e84aa4017b953b7facb55c48559ae86fea6adab3d5433843e

SHA512
39e5278c33f266bad892fa327c6605acc2650fc35d2fbe572dcb0eaca09ae0d1f47d8b07a9c4f574dbe0e639e1cc890c6e7aae800e6ec11a3c5d7a751e3769a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2oiq5shv.apb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\Downloads\Nightfarm.exe

Filesize
932KB

MD5
fe645d9509824ffb8e793a845f189e5a

SHA1
52c8db36d840550c50cba8b8b4832dd8c49e30cb

SHA256
55b1342e783f0b32c8e8440f2c0d9e0eaba4489194f40d052abd6e579f8b8552

SHA512
814e4ab5e7f250cb550ea8edfc9e75bfcbec9a2f609ce87199ab1357869fa3f8a1a9532e3d8562d7ea2df233865050cec900bf5fc1dfd14df48140ffa1d71372

Download Submit
memory/2592-722-0x000001E6AAFC0000-0x000001E6AAFE2000-memory.dmp

Filesize
136KB

Download
memory/3376-690-0x000000001AE20000-0x000000001AE5E000-memory.dmp

Filesize
248KB

Download
memory/3376-689-0x000000001ACD0000-0x000000001AD20000-memory.dmp

Filesize
320KB

Download
memory/3376-688-0x00000000000E0000-0x00000000001CE000-memory.dmp

Filesize
952KB

Download