hxxp://octane[.]lol

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://octane.lol

Score

8^/10

discovery evasion execution vmprotect

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
3744	Octane.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x00030000000229d4-97.dat	vmprotect
behavioral1/memory/3744-108-0x00007FF647DA0000-0x00007FF6488C6000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
245	discord.com
250	discord.com
46	raw.githubusercontent.com

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4288	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OctaneBootstrapper.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
3020	taskkill.exe
3628	taskkill.exe
5220	taskkill.exe
5268	taskkill.exe
4672	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
408	msedge.exe
408	msedge.exe
4612	msedge.exe
4612	msedge.exe
4104	identity_helper.exe
4104	identity_helper.exe
3944	msedge.exe
3944	msedge.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe
3744	Octane.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	OctaneBootstrapper.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	5220	taskkill.exe
Token: SeDebugPrivilege	5268	taskkill.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3744	Octane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 412	4612	msedge.exe	83
PID 4612 wrote to memory of 412	4612	msedge.exe	83
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 4424	4612	msedge.exe	85
PID 4612 wrote to memory of 408	4612	msedge.exe	86
PID 4612 wrote to memory of 408	4612	msedge.exe	86
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87
PID 4612 wrote to memory of 4488	4612	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://octane.lol
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca93446f8,0x7ffca9344708,0x7ffca9344718
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8044 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8860 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8852 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9272 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9452 /prefetch:8
  2⤵
  PID:6320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9540 /prefetch:1
  2⤵
  PID:6456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
  2⤵
  PID:6188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:6264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:1
  2⤵
  PID:6880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9632 /prefetch:1
  2⤵
  PID:6888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,4319136236703854148,5349145652599899305,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6696 /prefetch:2
  2⤵
  PID:3556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\Temp1_Octane.zip\OctaneBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Octane.zip\OctaneBootstrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3884
- C:\Users\Admin\AppData\Local\Temp\Temp1_Octane.zip\Octane\Octane.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_Octane.zip\Octane\Octane.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:4340
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://octane.lol/keysystem/1
    3⤵
    PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://octane.lol/keysystem/1
      4⤵
      PID:4048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffca93446f8,0x7ffca9344708,0x7ffca9344718
        5⤵
        
        PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:2408
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:3704
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1508
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:5204
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:5252
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x474
1⤵
PID:6388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7075f35fa1c9bde9877f1397303257de

SHA1
f5ce7e012642560aa55b0d6dd47458a3f50bc823

SHA256
fd849d97b98e68d3eb7294fd8839f89a450f77662429af7041720e0a07b8b943

SHA512
1336d5aa7d1da83ff3910e1836b09314bc25fd60184e53fa78197c3a6ea61eeb8dc349166830590e7a6a0001725d2fe8a034a043b00b01b9054e67cfcb563411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
bab68ea3154fc11980a65c5c4daaaba8

SHA1
661df4a8fe959b46d42abb4d00452335a4dba8a4

SHA256
49f476e79f0421c932c771a4a2eb38c1bc89a2a249cd4bca56b1b68d078ff954

SHA512
07903fe98f6a008fa34432998fe4b3a2cf74bff2bb5ca4504b584254eca0f9e49511bca6cd493d135fff44c7a05c41616b81ccc616fea110c1f260a9884f3440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_bypass.city_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
ffafb4ea08143306553c0190ab67b9bb

SHA1
3d09340d9cd28fe397e2efbb8ac8b3aefaadbd39

SHA256
939ace2ad51a99be7432ebd1b7baa27eb36c8ec87512bfaf1c0294c3a8fd9e39

SHA512
3512f36ecf871ad01d2072fed7cf8e8baf814cb479b9abd8103ad094eeac879ae61a33ec70a6685e9fd79d71893539571a65a185d2ade2948cc07cbf66d0e10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
4c423254e1a513d58996bdc0fbdda88a

SHA1
9ece5bce634dd404ca6b5a3e72d38f04e0d5eabb

SHA256
95b502a844fd99e233e17c7568bee1bcadb1ce605452b9dadc2b5213be439220

SHA512
c1801bb712d01f0f1e888a83a127d34dd67e7b74b5b0413daf917a1e84c591a15b350075a90c32b7c548d4bb8c069e2da710c8fef663162faf9661e0ade98991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a151ba4099498deb1a4405b57fb9f04

SHA1
8467bef30dcf35f15d42c5cd1c42767001040027

SHA256
cd5a8df95f9348a232e964c7f60ad8c5391157fe3b955443bf8e31e7a2856bf6

SHA512
772a02f242f2c478f8adaacf53407a38de27a1740e53014c94aec39e02322ed1b3e162d0c693689a37134fd72d548a36b8ab0e438fd6a321b8e59846d739b61b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
41b946f208e82b288bc2285a1f3203c3

SHA1
e801d8a06ab0d392501d0e16607593c0f18a8d6c

SHA256
f788926defdabb7fae3da7ea2a27f2ff1b6051a9af584b3307b1a741a0aad908

SHA512
e18e10ae7108fbb37f8773a6e636b6a0cb1e402cd84ae0f4dd2b9604aee654151fff0369d6a6a9dc4a92793a2206740b654dd04ee294d8717f1ad366061bb7de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
abf6bf838cfcc10411a62fa5c7575902

SHA1
ea719f57c552a955b37afb2a62c45e4a28cba284

SHA256
56ed99102f04a721266b23767135f13cdc3c2dd229514d539e9e4e3041649876

SHA512
6f6ea7f2906be3626cbcceb9dbedf970901120feec8bd5e676c0501e8c0c1747d7a7f06dda30055edabc1b088b15101da2ff5bf26f9e5dc4c0861c538126e184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
22eed82c32b8908278522a6b3bd30cb3

SHA1
752d3f945088a57132cca24b6ade86b383dea522

SHA256
693cfc75f6b613928777346d6a9e5a09cd3ec71c2d625fbb2063a52207539887

SHA512
a4f18066a6ffb74eead35543ce5455b2cba5f748d909bb27ebff4f1b0c0801265cc16b9e2e87d11932e6f1a4e982b8ec44e3109948cd7141bd333cff5ea539c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3375f6a16c636fdb290c780e5b3ca895

SHA1
703f032eb2365f36c1b4834686c7c9ad3cfb1fa0

SHA256
3fa2f49ad94a7ecfb4355cd73e1214b4a83cf55a8d3a4dbb92a072e71f26265e

SHA512
ad88df3f66a7a967121139383e30429a60dc0a06e8e9f29fc135b88f8aee869340c227804a63fad60d1129768e23b3b16823a8b488d22d6f6ab803ae7d91b6d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
12e27cbaec8b0f4cb31f82d657b1dfc7

SHA1
c6900042712f3845abcd3b47d41df8fe85631dc6

SHA256
5a3639609ae4d35750c3d323bfb5d25b07b5d8d89ab977a72411ac65bd85083a

SHA512
3296c1b617649cd80356a58cf9f63e01e4de28a3b3abe3d5eff720023884f85f34370251f946f141aee99efbc142ef9f6c4fe22b9cc06bfa1f8ba11d94eff36c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\016523c449929e1ba4b2689b8bfce5aae7410194\67e46c12-69da-4055-a981-e40937a4c3e2\925a02cd30dd2ad1_0

Filesize
125KB

MD5
11038f0242ff92690102c6074f0ebc96

SHA1
5061da0be109391b3ebd888d4e299ae5c9765495

SHA256
a3e2fdbcabc9af24ff909278350a17f25d81042a320c48e2ab94f1285f7bcf5f

SHA512
741c9bcae83c4769816fb461eabb44ac1a9a7622de7b9d96d04c090cc0ecbe6ba981f9b04d09e5e9e6e263988642be6443d2303865369a80ef31c520d8800289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\016523c449929e1ba4b2689b8bfce5aae7410194\67e46c12-69da-4055-a981-e40937a4c3e2\index-dir\the-real-index

Filesize
72B

MD5
8a3161cba29b4c0b70464aee40dfa96b

SHA1
e48ff87fcb5811cc689baabaf5295468c4fddb46

SHA256
fe14156c7b49281e226c29d580c815d6e3816b1552acc4e5da3bd79fa3398455

SHA512
48eb443783a8475f84a1ebf1832da9d6c3cd318368c6551002a8333e35785f6ccc0a30d615fcd06c463fb51580b675dd4092efc0804f9d36a752dbb2f37e7b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\016523c449929e1ba4b2689b8bfce5aae7410194\67e46c12-69da-4055-a981-e40937a4c3e2\index-dir\the-real-index~RFe58d378.TMP

Filesize
48B

MD5
b2fca0152303274fbe687e3ab6150889

SHA1
88378402ab1bac481029f5c238fd4beab441c4a4

SHA256
e5d7aa8beb3b0ca912d2868d2dac3293ac6ce3159bc67cb896b58fa6e68196a0

SHA512
f9b7fa097e59a3147d145f081b1f32092b9af2d79d62806e827c2edf4c3df7a620cab8a0900b0bc415be1d1f0229e7a755265708a7751e35ee2d36db7edc108d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\016523c449929e1ba4b2689b8bfce5aae7410194\adf60d97-38aa-4c69-92f4-d494a30bf90c\index-dir\the-real-index

Filesize
3KB

MD5
40a221dd9e05d97c0fbe4cf171a211b9

SHA1
5710d3bfd409ada099343ba0970a976d909286ab

SHA256
4e8a9ebc3da6a85069bf6eadcf1a5a285268dd7eeb46f1e7b3fcef8206487ac0

SHA512
6c67b681df2c030d4a7f98ee77b9a17f4b64cd20ed35938a1c4f0c31ee5cf9507c986558203cadeda26867aa635d5e4afae8512759649234b0a94431027775f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\016523c449929e1ba4b2689b8bfce5aae7410194\adf60d97-38aa-4c69-92f4-d494a30bf90c\index-dir\the-real-index~RFe58d2ad.TMP

Filesize
48B

MD5
02842acfab53699eff70cdad69deff05

SHA1
438162ba38bd5c445638efe84e5fc169a9d8200e

SHA256
69bf37e450d3f215ecbd14bddac7c9da80c63fcaf18cfec447ba6b0d4cf3a903

SHA512
1e3cb5e159a97eb87dce1ddc0442f895865ce6a5d8189be0c4b7289fa854c6944a72867f86bcc35da0782d37cf1424660d5d82b5b1e8f3488de3e874d4adf002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\016523c449929e1ba4b2689b8bfce5aae7410194\index.txt

Filesize
86B

MD5
2cdeadfc05f96f9e03d463a98c1a9c64

SHA1
f481afa0666e223d4d97592e1c7950ae8ba017ab

SHA256
2e6e13642a35376070167ea2cc843d581442cb58929b6dd4c991b5d46ab6ccfe

SHA512
198cb6fedd1f27c9d40382b299fed3d1da7a7b1a68fb74a52d70e81453aaee6faf05487be5be66c1ef3d041be16bbc18ff3ecaca85a0355e15e2980fd0514ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\016523c449929e1ba4b2689b8bfce5aae7410194\index.txt

Filesize
236B

MD5
740ab97565f7c5246ba233461e31aba4

SHA1
d4e1be7c2c9c958138a06e831f7f59b385444e8a

SHA256
006846c45639496adb190479be9cb196ea297c29c331ec7caf61756c2cc38d29

SHA512
d1e98af58bb2f80b5f311d52f038d3898626bde87d2cf64198a557b4e2ea95ec0cf72caf7dd948f99353ebfffa7933c4f3e4c62c69621b5b9eeef7ca329b9e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\016523c449929e1ba4b2689b8bfce5aae7410194\index.txt

Filesize
176B

MD5
e6f87c6ab0321e428a8385bc8e4ae79e

SHA1
cea25c55498abef08d26eb714c67c055a66edabe

SHA256
d08316b9bb90ef3ff97dce01ef8c2d62a6be08131129b293fcb3c82153df087c

SHA512
212ab70ebb656d3e05c58a92470e96f751a7d0d0b8ede8edb8918e685ae42b98347551d5d2bbc57acfac5802b9b4a79e9ae2dedf0a4e697fa62d504978343d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\016523c449929e1ba4b2689b8bfce5aae7410194\index.txt

Filesize
229B

MD5
0feb37023bb0fc49397c5970ea6b471e

SHA1
4b4d20afd6343fbe8ab2a38c6a87da54de56d733

SHA256
a1e250cfdce1f3854df9407fb6b493ba3aa2eb1b505c180867b90c56b0bef892

SHA512
2087af67b0d6b52ddd44848919a2bf6f1db8ec63405c3dc5ed8735aff76b67df73cf19f544cca3b6980169598fd2abe1728a6358813cfff6b12a9c0cf1e72cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
168B

MD5
2c5e2bc018b83baed9ba46a1eec4fb67

SHA1
e628ea6580e08dac421611d3b9848c68afffc8c6

SHA256
6568f786c7cc1053e8e8a89c8eb87ed56229c1763801fb52615905c4134c7424

SHA512
cf50f130adf5554b3a72f4f0bdc73cbeac656f8d77c93173cbb665d17f21f88cf7c448a331fb223a826c049110dc7efb725f4ec53edf78423d5cf797fe70247b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe589d83.TMP

Filesize
48B

MD5
a0c74de0a4809071019fe1fe01135d3c

SHA1
04df3c00ad75b7ec586f303c2062aed8d4013dc7

SHA256
c5aa6734955619a30e0bbdc48b4cf183e6de49f3ed46fe58d5c24f4c960b294d

SHA512
58ca146b1a960232003c6a71cd07cc681d83b005fb9dbf8f8022220a3c60d0b4b261a7479e906458641a6c4e4ddc2a46458b4aa3eb2e2d19782430b3dbf68db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e50e392f7ab30adeaf1cfd0b860e9557

SHA1
cad0c390cec41eaff8e57fd509381225d9c344e9

SHA256
80e71c326b1ef0152e8179c8d12ffe04a534e15ab565fa7ed0663ad4a11e688b

SHA512
d3a8c4f0aef9923c27ce64bcf5b09acacca0fc8903e57a5769cb0d46f824be610884b3a3b5a2c08c6e9d3bcaa00a7a4e4fcdad9b1d228677ebaf04372dad2075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c0f96070c21545b9d3678d9c567c1318

SHA1
f1b62cb9e387b9a31138f275e6e4f9a884ea7ff5

SHA256
06d8c60b530e173d01598012bc136d94b5c13bd4b91919bd34a11996467c78e3

SHA512
425c923282943624605d30ade8a6d76ac8d5aab0b43bad5426849c932e5e6a1974aae1e1450a72eb91f028006bd6bfebe6830fe2904b34d42919c3aa9d009061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
47bbb4b964b58c87091b6748ae3f10d5

SHA1
3607498422d4692fac83fb3314ff9beb9beeb2a0

SHA256
a2de0fbe32fdb8c8b23c6353e072b834a2ad0b1db414fc232285dd5c881a9d9f

SHA512
e90c31d00b09d0164d091456283abed87ff9625528fd49d4cf821e345e6d72b032ebef407e2797e1aff6ada87ededa2eaa07de32d044924819cf93fc7356712d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58295d.TMP

Filesize
540B

MD5
215d16d8d00d0f9a231b970effb1d894

SHA1
87ed0660e6335051a440b94d341d7c0089ea1a4b

SHA256
86caafd8d5ff9132acd925db97d6a981349adb5163ca8967595417d68561a3e4

SHA512
b12a8d9a26842435d70317c8a4642b4d01851d53c41d6ad1d3a3f444da94c6d2f5a5ef0e1f095467d00cd8fc34283ae97b722d5a6fd6d5e14a3a76f859fdff66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0467b8c909ba5ebb8fe23117050e4383

SHA1
f7cffe8810cacd5c24cd2216f99d45151e454a43

SHA256
fd9e1ea082cd6684f54d3329cd3e8495fbbaad40b784078d8233d931c528f907

SHA512
0227a97fbd0b3996bc285455c8b982ce27dc9f779c4650dc2c511b1f627aede9cd6a1fdf134a1fc185a9c4aeeadad7e6e4feb55cab167a2f404f44aff911a301

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Octane.zip\Octane\Octane.exe

Filesize
6.0MB

MD5
9a0290f7843e55afb931e30869cd4f1e

SHA1
fbcb0e05a9863498f878345b127416f9a7d089eb

SHA256
dd3b63d9f3178aca53c5662c834505bd95cfba80e81f80e41eb4fc417f904646

SHA512
5f5703c4787cd565adb0a0f3fe75fcd68f38594720e3b63e1e48abba7edbab73c58d3d593177845265047cb4d6f7bcc007700fc2ee39c04ad689f2452e78fdc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Octane.zip

Filesize
13KB

MD5
4f4c765a8228f1b3ba706a272b5d2469

SHA1
7ab00387bb58fe620ee78c8f9f3411d1588165df

SHA256
e1fb6e9d960db9b5c2135225a02af00222575683cea226ad8f862d357ec3b0c8

SHA512
521c48ee6ba86b56ec7cbb988cb01442ff2c4d6af0ebc117b4272ac2be83790e82281542f71f62d5ba0045953d8d7694d38be0d0e74011f679bdab045f55b39b

Download Submit
memory/3744-108-0x00007FF647DA0000-0x00007FF6488C6000-memory.dmp

Filesize
11.1MB

Download
memory/3744-107-0x00007FFCB8250000-0x00007FFCB8252000-memory.dmp

Filesize
8KB

Download
memory/3884-80-0x00000000096C0000-0x00000000096CE000-memory.dmp

Filesize
56KB

Download
memory/3884-77-0x0000000000680000-0x0000000000694000-memory.dmp

Filesize
80KB

Download
memory/3884-78-0x0000000009660000-0x0000000009668000-memory.dmp

Filesize
32KB

Download
memory/3884-79-0x00000000096E0000-0x0000000009718000-memory.dmp

Filesize
224KB

Download
memory/3884-81-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/3884-86-0x0000000005940000-0x0000000005952000-memory.dmp

Filesize
72KB

Download