xworm | 6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

max time kernel
214s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

писька чит.exe
Size

71KB
MD5

ed3794861ddc34b4748ff8081e80cb2b
SHA1

e63cf084552f0c2803de0109e3d2fcd3102c4738
SHA256

6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f
SHA512

df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03
SSDEEP

1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

main-although.gl.at.ply.gg:30970

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4244-1-0x0000000000F00000-0x0000000000F18000-memory.dmp	family_xworm
behavioral2/files/0x000e000000023382-691.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2160	powershell.exe
2720	powershell.exe
1828	powershell.exe
4192	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	писька чит.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	qtqrwb.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe

Executes dropped EXE 2 IoCs

pid	Process
3484	ttqnxj.exe
540	qtqrwb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
108	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ttqnxj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qtqrwb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662248874375466"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{D819C4C3-49C3-4DCE-8960-2EB0E47257BB}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	qtqrwb.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{6CE7A4A3-58C8-4398-95DE-51223FBADFF7}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1828	powershell.exe
1828	powershell.exe
4192	powershell.exe
4192	powershell.exe
2160	powershell.exe
2160	powershell.exe
2720	powershell.exe
2720	powershell.exe
4376	msedge.exe
4376	msedge.exe
2152	msedge.exe
2152	msedge.exe
5596	msedge.exe
5596	msedge.exe
3468	identity_helper.exe
3468	identity_helper.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5500	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	писька чит.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	4244	писька чит.exe
Token: SeDebugPrivilege	5500	taskmgr.exe
Token: SeSystemProfilePrivilege	5500	taskmgr.exe
Token: SeCreateGlobalPrivilege	5500	taskmgr.exe
Token: 33	4480	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4480	AUDIODG.EXE
Token: SeShutdownPrivilege	5196	WScript.exe
Token: SeCreatePagefilePrivilege	5196	WScript.exe
Token: SeShutdownPrivilege	5196	WScript.exe
Token: SeCreatePagefilePrivilege	5196	WScript.exe
Token: SeDebugPrivilege	5804	firefox.exe
Token: SeDebugPrivilege	5804	firefox.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
2152	msedge.exe
2152	msedge.exe
5500	taskmgr.exe
2152	msedge.exe
2152	msedge.exe
5500	taskmgr.exe
2152	msedge.exe
2152	msedge.exe
5500	taskmgr.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
5500	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe
5500	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5804	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 1828	4244	писька чит.exe	92
PID 4244 wrote to memory of 1828	4244	писька чит.exe	92
PID 4244 wrote to memory of 4192	4244	писька чит.exe	94
PID 4244 wrote to memory of 4192	4244	писька чит.exe	94
PID 4244 wrote to memory of 2160	4244	писька чит.exe	97
PID 4244 wrote to memory of 2160	4244	писька чит.exe	97
PID 4244 wrote to memory of 2720	4244	писька чит.exe	99
PID 4244 wrote to memory of 2720	4244	писька чит.exe	99
PID 2152 wrote to memory of 536	2152	msedge.exe	106
PID 2152 wrote to memory of 536	2152	msedge.exe	106
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 3932	2152	msedge.exe	107
PID 2152 wrote to memory of 4376	2152	msedge.exe	108
PID 2152 wrote to memory of 4376	2152	msedge.exe	108
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109
PID 2152 wrote to memory of 4656	2152	msedge.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\ttqnxj.exe
  "C:\Users\Admin\AppData\Local\Temp\ttqnxj.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3484
- C:\Users\Admin\AppData\Local\Temp\qtqrwb.exe
  "C:\Users\Admin\AppData\Local\Temp\qtqrwb.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:540
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4eda46f8,0x7fff4eda4708,0x7fff4eda4718
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4423725471281386587,12020794800375631434,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6608 /prefetch:2
  2⤵
  PID:5356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5816

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=писька чит.exe писька чит.exe"
1⤵
PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x90,0x108,0x7fff4eda46f8,0x7fff4eda4708,0x7fff4eda4718
  2⤵
  PID:1092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2208
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1880 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79910607-0133-4aff-a0c5-426faa66c106} 5804 "\\.\pipe\gecko-crash-server-pipe.5804" gpu
    3⤵
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2332 -prefMapHandle 2328 -prefsLen 25791 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64882711-767e-436b-b8ce-685493ee7794} 5804 "\\.\pipe\gecko-crash-server-pipe.5804" socket
    3⤵
    PID:5312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3176 -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 3168 -prefsLen 25932 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75084955-1739-4d59-846e-0125ff4aaa03} 5804 "\\.\pipe\gecko-crash-server-pipe.5804" tab
    3⤵
    PID:5744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2708 -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3660 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8e42160-ff41-47ea-8377-3b31ae46809f} 5804 "\\.\pipe\gecko-crash-server-pipe.5804" tab
    3⤵
    PID:5364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4524 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4516 -prefMapHandle 4592 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {903dd1d7-fd10-4a0f-9513-11d0350b4d44} 5804 "\\.\pipe\gecko-crash-server-pipe.5804" utility
    3⤵
    - Checks processor information in registry
    PID:6400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5276 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {343b2cf2-db6f-469c-8bb4-03ac476d6262} 5804 "\\.\pipe\gecko-crash-server-pipe.5804" tab
    3⤵
    PID:6968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5500 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9aaeea5-0daf-462b-9f61-7b07453d68d3} 5804 "\\.\pipe\gecko-crash-server-pipe.5804" tab
    3⤵
    PID:6988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3b5bb29-1b45-49aa-8a74-8bba1d56295d} 5804 "\\.\pipe\gecko-crash-server-pipe.5804" tab
    3⤵
    PID:7104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:6776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff45dccc40,0x7fff45dccc4c,0x7fff45dccc58
  2⤵
  PID:6948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,1899325117129550281,7654195335273449341,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1744,i,1899325117129550281,7654195335273449341,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,1899325117129550281,7654195335273449341,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,1899325117129550281,7654195335273449341,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:6300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,1899325117129550281,7654195335273449341,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:6280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,1899325117129550281,7654195335273449341,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:6676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,1899325117129550281,7654195335273449341,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:7076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,1899325117129550281,7654195335273449341,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:3044

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:6628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d1bb95fdddb356924cb0a9709d24f09a

SHA1
656fb7f40d283f6947b5097f06bffcf18e0c2a19

SHA256
b4c3e4f677b3040e1e48ec422011e91e989f7cbdb4352bd96e633bf410380181

SHA512
9bb957c3664f380252d24a41be3d5b6cc9e42be30f13ea51946165ddbcb51a1b15283465cf878ef0c6184086681daf238f1c0390728a2245ad2f714f45e7a628

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ecb72b8a0605ec9d329f991208cf8217

SHA1
c7ee1db59adf4ec319828cdd9a0208b30250f512

SHA256
212fbaaf48cb290dbf819b2d77dee1289da2b72c935e890cda4319735c9a35a6

SHA512
53c96c2fcc5e47bbbca3f79ed1b5e1f7c593371c9d744d40af54a753422d5ff7638289f41664670a48a2f8be401829d365e4bbee2b69dc82fedd308460e9dee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
691d9ba3e971bda7170f1312ff0a500a

SHA1
6d34c511d30a499c728895da46e298f1a5f16dfc

SHA256
9e8472dc6c9b5684d89345218e6c356b663c79d9ae1c4d1f5364bb260f5d23a4

SHA512
80c494169876310d1558539a075f8ce94c27e5dc5af0540f0fef9afd2b9f1c060f7a7d5ae4ff7bad2ef13091f027a2a20581d8266f4981d918d49ac6bb749205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
41KB

MD5
91be4e2bf6957e5b01200b15f83b9af1

SHA1
cb9b994eb27a6e41885e4b3dedc78fa1ea9324a9

SHA256
9951e1f58567cad50199fa9e5a1b380e3f0784da276fb2d5f859110d5832dd93

SHA512
c633e932eae25c5858ac035be15f99d273183306bdc1e296e9f0154219ec2da76126158c4a2e5f2af2d27473f6077f03f518d2edd0f1981f321079953f876c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
35ef87a8c6628a62c728ad6e3cb5aca5

SHA1
e7a01565b61f9ea1647fb9bcb358fbf98b0138ed

SHA256
c707b131e7fee40b91887018e223b906faddad11ae338e8f37a78f0285b3d0d9

SHA512
aa4ec3dc3a4c8c2cc4f952b871eb773ece091849b2c02d82f35b02180588ae2c5e77c92152a896122eee565f049d94af5cdcee908250a1d222b86f0fc2384487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
0cb85e1410a99721c8d8600f653dd354

SHA1
30ccff3e71d176f466fc87da6314619c500b87a1

SHA256
c998e259c08f8164dfa39cabfff759f08edac3768744bb4990a8b5c2a338afb7

SHA512
f41e6f1fe05031678b9df1aa6060e58fde494ba53ce649793adbb4c9baa5d96381a38bfbf627928ad317e259559c9520a8b282711701befe19eb2758f17111f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
931B

MD5
20ab41f9e3f3f2f188e8fa388f4b7bff

SHA1
b334e4221d0200ab510b560386fefa54702b885f

SHA256
3ec78a5118893a9fc37629a5d664e12d74aaa34fd745f8d69202e4d3f5f4a4ad

SHA512
c1cd57b883924d6afd98206be74156ca854b3eb52cc15186cf59bcf0626d6511eb8fd940a86888a21cbc6c3f1ce6cf0dbb36f0fc5b27633237a1eb1d68f96838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c5fd2b58d2d169c9b57d3290499c6a86

SHA1
984137cce652c1a6b1f530ba298792d57ec7b00c

SHA256
335b8c79ae9eb9ff02aae2e7a78b2428f1d66c6a2f4fd36d17cf393ad177482f

SHA512
524c83930c16076564de89bbe6749666290a845b9f0df208585db531f7540cd9bdf2458bf755456bbfaef60abc93e6c97220e58d98d9d180ea012242130dced2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eabd780ffa25e6225cccb820302772a8

SHA1
e00586ff96b32507fd87ee2b0c60d9d2d1aa5295

SHA256
4ff16b1872b79505bde5e2f7668a2f6bc5a6324ba23023525c2a73eb957ad2f1

SHA512
82d1b7b3706179aad5e7259b67a58c6b8127cceb56d4a65dcb6ca3cb0958d8f90ccda8d820a27dd4bbb8cfcccd35068a13a13fa9883c6dc002c811660cd6a44f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e2ed7ae581e6dc5056f30cb882f25f42

SHA1
18b7921b04e668d187d5d1ef17ff05584561e2c2

SHA256
abc592d8b6aa499219b93b18a3c8f3902c892ab4574522041359a4ff8df41886

SHA512
f3c52ada567a07815b16af2903d8299614cc2081ba722252090867801b8cbd03328e909f48feb405924d1568bade09b0648bffd63d604721ba00ffd6700cffab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
beeb876e54e7a769a776af1855d1dc11

SHA1
6639d72957fdc0d4378dc5d1de811132d338c609

SHA256
0b046ac6eb71f7519fce1f75f32330e51024de6f562413b16f3c5a22c39192ce

SHA512
698d1630ccfdc12a50352b95759c3193b70fd77e4b1ab59cec42f64754577db8ff4591621c868455d389ac77902db7ba0e4c2baf78a830e7baed8c71befc8862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f2eb5a8fd5358cf8bdf6cba7c7aab395

SHA1
076077f546ed8b46fa48e058d55e85f2be4dbae8

SHA256
a88119c6fd36697832ff4ce142bf1c7d0685caca8f108b88beff15197ea31708

SHA512
931ceafb7e5d3558b17c610a8c9d3bd70f7ea6e74686233b0dbbc1f4af8f04a4ed6b0e6b9d7bcc130d5cbdd9b8739fbee864528d2ce5dc616a984a282f826934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69c5d565bbfa589e036b1eec2edd5c08

SHA1
0a213e65ede51c326622a4d44557dd2e98fed50e

SHA256
6e44a76c31941b16b6d18ac732d7fd54b6cb71e3d7d929fb28b4a6dc50cc6f05

SHA512
aadf9d749df19506131e93678ed4e24ef1065fb399a10e82247d9b9fe78d89f33f677302abba37cbbbd1b6945cbaa1b57cb304a6760eb9b2ad8e75826e0b645f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
511ac2b4e36a493c5e86bd86e3df56fe

SHA1
b2f6661cea10777369262a74801c447e18c9934a

SHA256
cf7c4d1d1c2592fe102dffc1a89abfbe75f74e39719d27625d232b44e3cafc3b

SHA512
6913607817f9dc2491531cda2376061f86390b3c2c4414d95b782de8b5bf0710933f47f4244c5cafe5a4c5c8216cea8450ff4ae42c8b02dbd5095dcdf785b8aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b125f51ec1d24f03a5e54fd945850b0f

SHA1
6b8b2b5219eae45d22d56af34c2df3815dc5ee7e

SHA256
41a342aecb49a64e2c8dd854cf8546e7c35f8afdd27ee528bb08ae2716b2d6fb

SHA512
774d6bfd2e9e7c4c305a869bc495db182257f8cda57f889798371c2367579d1a57d21f380e436fbf886e72eb6e28aecb96992fb0c3f5b43c3fcc76c4c42af528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
517144f63f8b3cb456e03d71241f0025

SHA1
57c0b9ef0f52cc8268cfafe395a6b50ab32a187a

SHA256
80f5724a14cda13c38d82927a6618eb8a1b50b7b018ee8695752a3889fa73983

SHA512
9569ede91ae7b63e07503d2d27fd23783e1554408fb5d0726b294e7f2ee8273baf07926d808214dfab07caeb152e0b278e4f2cacb061db81e774361e1611ef5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
40b67c16a22ae33e8d962b64d37d0d04

SHA1
b2091a1ffb7241b00a34580c51ef50c3d5cd2f5e

SHA256
b9f94b4001250c6376b8d85557497c1714cbf19acb177103efa0cc7ba2d0b40b

SHA512
83df251a6fc231cb5416da7e5739970c17a5ab870324d8a55227d37214de43afae19f89eef11512739135eacb58c7b93d96b087780edae9a33942e4e87458e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5844d4.TMP

Filesize
538B

MD5
64b2990f52fe0cb7311be876ff107c28

SHA1
b6025561efbf12658e5224cc512918a76f3b8bf4

SHA256
01f00507850c77c2966b5bd8e35fe7f06ebfd5d5515238a57c00db1575290da2

SHA512
7d8ef00c9e6a388939262e1d09b2fa0ce4bd21819b0d5069392cb90981c7aaebd2c50dad564fefcc5a64af1911f9422d608911f78188cc620afb774148b07a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d7acb330b3c7d1aa83a4713a1d2c9767

SHA1
b243ecd2329afc8a50be46c74731110e75068efc

SHA256
05bbe90e4f5b7e9ba8ff49e6d068d9af7ce4978a8d9fec93e17b50f956bef545

SHA512
759a799c66e6e8a201ef3859788f8817d325dae6468ff15f23ccc18db527250c9edcc33cb20d478a4eb608d11fe6baafd6a6d5ebdfc01f4521d050f34881df28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
db10a94991e2f5df82f84dd738432695

SHA1
ef1de1c0ac349308f8c4e186ab757c4d4e23aa2f

SHA256
6bd3e1a675569ff6832cc943c32d97a1a566eb5758aa1b53b173944b0035afc6

SHA512
e07fb39f7f7e6d4a1ba947b29f7fdb24a421d5d1cb342770242e1becd59fcda0009f1a6c9b60a2a738c1d032fed535a08010b66bbfad396a666cce6a5df9deaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2556c793f87f487e04651d286c39f859

SHA1
548a9f864f7e4a20c221323650ffcf64729d0617

SHA256
3fc0e94bd73774d97e86e6b1733a8d200809db2b1d76df837bc98c1de7d73b45

SHA512
65ebbb0df0dc7cd3fd267a4ecc1163fdfee6c775bad3c0ecf3fd59b084ea5ae0c40dad6859e0def42921dddd706cf635ab401b4a44425b8862b001196c3ed03a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
17229f62402dbf3a3822e9f0de6bb2ac

SHA1
ae64249bd1d857831a5b9e1b819e48319b7419b6

SHA256
4a439a7753cd749a35d2d53b3e91b4c08408fac6ac377ec452181710430c7140

SHA512
c31c23bdcb133be17f488c2f99fc4da6fbcaf628d455c51e387d2c99e375937ed92ab86906fe042e2ae08fc8b908f0d6c630c58abf66125cc3810e9590ffa67c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
94217e76a8b2de9fcaa685331d4bc37f

SHA1
202dab34b7e97e330f6a8e5f838a9cc903db2dbf

SHA256
4e2654221c043af29cd2191ef27b4c944ec14da1856e67fc6abe84052f046e5d

SHA512
1f852a9bee48921be0ea824e8f9e9ed9cbb551d6e99ace967742c41e9b707f288e50c13cbef8e52fc0420c044c743ab7510ef244ab60cd2b0143dfd363b9aee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
077f30960d9e4ee83fff7d6734fd4756

SHA1
88d4bfc40e94bfd1c60f8142d69ab2adfa00cddf

SHA256
9999209b6d22ce028595e36c06490222dc9e56489d3595539e762c609dea5ac0

SHA512
285dc9ca635cee97b1d64efcdf03a700ca5cf7b77bca7a77c1d29f5509b98b6c904b9cbcd8eb73112029ba562da731a2e4ba88eed8e08922e4f75c9a48728b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
6cd188214e691b85f2db497c8a2fd2cf

SHA1
107b610e872089ef4950bbb27ea2e19b40add090

SHA256
435ded371a2dcad212acf454e3cb2e2069cce8237c8b768f9520988f37d3f4f8

SHA512
93a469be6e1993517d8cc31ff8bb1c5635ad9f9236c14125d9096818cd1e8a6067a96fb5853bfa7750906b3d2c81ddc6a182ba0ec43339355990952572b03b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

Filesize
234B

MD5
448d64b7e2c09496500e077a00882dc6

SHA1
4796fb338dc81d16606ed76f63075b4fef8e051d

SHA256
b894b20027e433c8abe00659b972519d2e4166206de2cbc74cf41567581a099d

SHA512
c2160b4317670acea1cc9b5ba4a447ca1f95370eb119aa2299e2d3dad13d0aee1fd55ee4695b2883f2ce00339db88ec80cb0f104fb9fda8811bb3bd29afc25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pod.mp3

Filesize
100KB

MD5
a343ce0b977a91b39bbb4e357c5c0ff2

SHA1
e64167368927542a591399b3d97a7ade15a97a78

SHA256
2ca0d1e6f1ae8f36f1a00baeb18d97f0f2c0fdecd941be2abc147896e0554a42

SHA512
098cb874f636b79561a885cf31cb837278fd940e1a4824512e5eb3566dba3973c13f537017336c37019aa99a8d9751dca65fbfab838a0db877f4d72b8f5588a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3patmz3.nmk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtqrwb.exe

Filesize
418KB

MD5
0176aa2a2823bfdd677c59c4a044face

SHA1
f7464fce6ca9db13050290818b219cc031ed9ce6

SHA256
0bf4a5582d0cf1a117e7be96e62a7293a58f0f6548ac558cdce41e981f4f7cfa

SHA512
e3e4a4c37ee1febaebfd489bdb45b2da229fdc103d808c5b7310c6683ecd491258cd806e0ba8ba918e8633c65023f35c87122e72422deb0028e0f03dc11b2d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttqnxj.exe

Filesize
7.4MB

MD5
3c3d1168fc2724c551837a505ea4374e

SHA1
86c913a12067fd2c1bbc31fb64a5b5d056175841

SHA256
f91c14c328544a2d4cc216c7c2115283806fa3201d40bd3c7c5d79dccd025b09

SHA512
0f181c9753a3f55e4f4a434ea3e972e00b46fb7319d95a4b7a5c7d09888537df4a8fc4c2c5e0232f96b441727e45a595eed42721ff8c7799302e4d3f13156a8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
0a3cb8d201f6f7d20dc61e0ed260ce20

SHA1
0e9fc174c73449147cd8ca6b16c75f6e340e51a8

SHA256
1c20af7d743d717bbee944efc5b64e03a969b6379c388a4e7991cdb41eb22646

SHA512
3ab69c36f67a60ed6d056d4a7bc5335b6d5433dd96145d63c24b5c0da43db5372fcdfe7b4a57137076587e1193a0166d8c9376248348a79d570d921a91639a28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
470be3b2eb39b2c5b2677c1989665797

SHA1
adcb976be98cace0d900cb60bc097ed51235e96c

SHA256
b7289d631f8a2f3ece2a902f448a5d6de46650a6a487a842a7edea560fe636da

SHA512
4cfa18ea024e95cdfb3f8fb2237fb9f824c616a5b35ac32a2a53b10be8d171f9e5fe2e7ae62b42116461332c577bf9f45c70c96f5457b4e201fba005a2574420

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9cb60ad6f1a6cfa190fcaba67e607e58

SHA1
36f65ea6523c252c7dc12e19b836dd35a98b9d1d

SHA256
401b8a0f6a2d6f5420b8708cbf28f91534b7f10a46f8b91c09098bf266583cac

SHA512
64f6b78b2b5a518db2105297144472a7910507550a563f5597d87008579e8accef70b2ac57dce0c7fe32d0458ca8b9b386a13b67a50fded5c0f955bf1e874728

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\2eb93d8d-ba5a-4313-a4be-16a5ab42d4b6

Filesize
671B

MD5
d9145875a2b315f53788a27fa3657172

SHA1
f86336299b4804af193229a3ad62efdd1575022f

SHA256
f35c5e5ee00acaa73a4f27fa9939171210ba6cafad129d766f25b36e60202bd9

SHA512
305ce295745b2a14d43129d56ca96e347a0619280ced2c78306713c0c74bf23ec34869c95cc0673787fbdb5e7ff1d006e54bdf72ca9e65d5063f1a25129bb147

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\ac35728a-1f5b-48a9-8670-b451da4268b1

Filesize
24KB

MD5
784c03f2031b5756d8422b160bb40c7d

SHA1
5c9ed531c2476cdf6b1508472b7a644fc77fb186

SHA256
61e66c535f68f74334792fb6db94bfce08ca35f3ba02ca8a1d8442b096af4543

SHA512
cb936d9964475361100f04214c1d03a4902fbaa88b1735f9347b4a953befc3aa60a812d75bf787bd1c78ab1c737ef8888a4ef9d41623a45ec00174c3239139e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\d58c4ec9-04dd-4c23-a345-4be3a0112118

Filesize
982B

MD5
04902de44b2d4fc623af4aaa898d81b2

SHA1
0faa75e8f2be615f6f5d1e38c126125d9a7923c3

SHA256
25381a0687acc0e6279de41d0e96fab5da15398b2d4eeb5f236fdbe72cdabf12

SHA512
bd70b53ec3de0c0c92318add6ba29d130631e72f57087fb540930bc404573c297a15f51db8d45c6e19a85ab7fd1a4e20687fea2365cc602630bc2f1bbf1e9d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

Filesize
10KB

MD5
724206fdf9f320b334e6b80159d381d3

SHA1
1f49532d3febab8a07f8d03c994e765a0828ab04

SHA256
846a9f34259751202466c8e0ba4d1447ab172fceb38e17f8a5ce23fbad1dbfff

SHA512
71d7f42d519f39a04d925893c77d0c9b6b329756df82be854601e91b66ace9300dd8e1167b6042eb95b0bcb621eda2eea25912d52f4d305e186a5276fd6e366b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

Filesize
8KB

MD5
9fcb238ed2e1ee02332b1fe663490e89

SHA1
83e0b9296a69a6b87c299522a838a72a1d66a396

SHA256
3e7d9df9c620ed53b6f7b0b4d8b38302404bd76c5fe3a0eb946ad0c4a359d3e4

SHA512
7fe6cff7d6ae7b1c3808fa6ba7a5c75e8e66870cca0204dcaacb0ecfbe1e8d098c724b836fcc5160f5eab1e8bcfdef03b1e6573605a512886033e5014a20d465

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
71KB

MD5
ed3794861ddc34b4748ff8081e80cb2b

SHA1
e63cf084552f0c2803de0109e3d2fcd3102c4738

SHA256
6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

SHA512
df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03

Download Submit
memory/1828-15-0x00007FFF540F0000-0x00007FFF54BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1828-18-0x00007FFF540F0000-0x00007FFF54BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1828-14-0x00007FFF540F0000-0x00007FFF54BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1828-13-0x00007FFF540F0000-0x00007FFF54BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1828-8-0x00000233C7240000-0x00000233C7262000-memory.dmp

Filesize
136KB

Download
memory/3484-917-0x0000000000690000-0x0000000000DF0000-memory.dmp

Filesize
7.4MB

Download
memory/3484-918-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/3484-919-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/3484-920-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/4244-0-0x00007FFF540F3000-0x00007FFF540F5000-memory.dmp

Filesize
8KB

Download
memory/4244-441-0x0000000003110000-0x000000000311C000-memory.dmp

Filesize
48KB

Download
memory/4244-1-0x0000000000F00000-0x0000000000F18000-memory.dmp

Filesize
96KB

Download
memory/4244-2-0x00007FFF540F0000-0x00007FFF54BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4244-456-0x00007FFF540F0000-0x00007FFF54BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4244-444-0x00007FFF540F3000-0x00007FFF540F5000-memory.dmp

Filesize
8KB

Download
memory/5196-991-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/5196-990-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/5196-986-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/5196-1013-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/5196-988-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/5196-989-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/5196-987-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/5500-658-0x0000023F9F490000-0x0000023F9F491000-memory.dmp

Filesize
4KB

Download
memory/5500-647-0x0000023F9F490000-0x0000023F9F491000-memory.dmp

Filesize
4KB

Download
memory/5500-648-0x0000023F9F490000-0x0000023F9F491000-memory.dmp

Filesize
4KB

Download
memory/5500-657-0x0000023F9F490000-0x0000023F9F491000-memory.dmp

Filesize
4KB

Download
memory/5500-656-0x0000023F9F490000-0x0000023F9F491000-memory.dmp

Filesize
4KB

Download
memory/5500-652-0x0000023F9F490000-0x0000023F9F491000-memory.dmp

Filesize
4KB

Download
memory/5500-653-0x0000023F9F490000-0x0000023F9F491000-memory.dmp

Filesize
4KB

Download
memory/5500-654-0x0000023F9F490000-0x0000023F9F491000-memory.dmp

Filesize
4KB

Download
memory/5500-646-0x0000023F9F490000-0x0000023F9F491000-memory.dmp

Filesize
4KB

Download
memory/5500-655-0x0000023F9F490000-0x0000023F9F491000-memory.dmp

Filesize
4KB

Download