skuld | fa5e08c10b5436ce62146da3783126a903a7e1d545f10c1a0984f40daf8c1d35

Analysis

max time kernel
569s
max time network
567s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dream R6 (1).exe
Size

6.1MB
MD5

098079241a31077ce464dedd564d5965
SHA1

5a4a1395ce3f7aca2de4eba960e579bc91ec2a07
SHA256

fa5e08c10b5436ce62146da3783126a903a7e1d545f10c1a0984f40daf8c1d35
SHA512

f70f1996406ea498e6e2d871d05803ba121bb4fc3a35250aea626df612446d7d197aba9cfe7293534fd76fcd88721ed406349d74b747c43d2a5d9846866fed51
SSDEEP

98304:OL8TZt27hpBDNQZx92UWUfeeM81EztJwRla6dewnqOQL7Xwivl/gn6MsyB:OwY1PL8GfNURsRe87jdQc

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1275570777562943619/CfD-pRhASNI97yrXg8BssfRJRJrGeagBhz72dQfdjXc70hZ50lirmSwHec53Jx0RZ28B

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2260	powershell.exe
3952	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2338c854-cdc5-9378-5d3f-23d937174738.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 19 IoCs

pid	Process
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
7072	Dream+R6+(1).exe
6760	Dream+R6+(1).exe
3892	Dream+Fivem+Spoofer.exe
1536	Dream+Fivem+Spoofer (1).exe
6204	Dream+Fivem+Spoofer (1).exe
2948	Dream+Fivem+Spoofer (1).exe
1832	Dream+Fivem+Spoofer (1).exe
5820	Dream+Fivem+Spoofer (1).exe
4888	Dream+Fivem+Spoofer (1).exe
6392	Dream+Fivem+Spoofer (1).exe
4484	Dream+Fivem+Spoofer (1).exe
7072	Dream+Fivem+Spoofer (1).exe
1496	Dream+Fivem+Spoofer (1).exe
2724	Dream+Fivem+Spoofer (1).exe
3480	Dream+Fivem+Spoofer (1).exe
4556	Dream+Fivem+Spoofer (1).exe
5920	Dream+Fivem+Spoofer (1).exe
5844	Dream+Fivem+Spoofer (1).exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2338c854-cdc5-9378-5d3f-23d937174738.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org
8	api.ipify.org
19	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2338c854-cdc5-9378-5d3f-23d937174738.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2338c854-cdc5-9378-5d3f-23d937174738.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3752	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4972	wmic.exe
1116	wmic.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	20	Go-http-client/1.1

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133687309763298364"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{C6D59519-CF0C-4B2E-9AE9-8B336F1F750F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2338c854-cdc5-9378-5d3f-23d937174738.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2338c854-cdc5-9378-5d3f-23d937174738.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2338c854-cdc5-9378-5d3f-23d937174738.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2338c854-cdc5-9378-5d3f-23d937174738.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2338c854-cdc5-9378-5d3f-23d937174738.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2338c854-cdc5-9378-5d3f-23d937174738.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3952	powershell.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3952	powershell.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
2260	powershell.exe
2260	powershell.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
3544	2338c854-cdc5-9378-5d3f-23d937174738.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
6308	chrome.exe
6308	chrome.exe
6308	chrome.exe
6308	chrome.exe
6308	chrome.exe
6308	chrome.exe
6308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe
Token: SeIncreaseQuotaPrivilege	1896	wmic.exe
Token: SeSecurityPrivilege	1896	wmic.exe
Token: SeTakeOwnershipPrivilege	1896	wmic.exe
Token: SeLoadDriverPrivilege	1896	wmic.exe
Token: SeSystemProfilePrivilege	1896	wmic.exe
Token: SeSystemtimePrivilege	1896	wmic.exe
Token: SeProfSingleProcessPrivilege	1896	wmic.exe
Token: SeIncBasePriorityPrivilege	1896	wmic.exe
Token: SeCreatePagefilePrivilege	1896	wmic.exe
Token: SeBackupPrivilege	1896	wmic.exe
Token: SeRestorePrivilege	1896	wmic.exe
Token: SeShutdownPrivilege	1896	wmic.exe
Token: SeDebugPrivilege	1896	wmic.exe
Token: SeSystemEnvironmentPrivilege	1896	wmic.exe
Token: SeRemoteShutdownPrivilege	1896	wmic.exe
Token: SeUndockPrivilege	1896	wmic.exe
Token: SeManageVolumePrivilege	1896	wmic.exe
Token: 33	1896	wmic.exe
Token: 34	1896	wmic.exe
Token: 35	1896	wmic.exe
Token: 36	1896	wmic.exe
Token: SeIncreaseQuotaPrivilege	1896	wmic.exe
Token: SeSecurityPrivilege	1896	wmic.exe
Token: SeTakeOwnershipPrivilege	1896	wmic.exe
Token: SeLoadDriverPrivilege	1896	wmic.exe
Token: SeSystemProfilePrivilege	1896	wmic.exe
Token: SeSystemtimePrivilege	1896	wmic.exe
Token: SeProfSingleProcessPrivilege	1896	wmic.exe
Token: SeIncBasePriorityPrivilege	1896	wmic.exe
Token: SeCreatePagefilePrivilege	1896	wmic.exe
Token: SeBackupPrivilege	1896	wmic.exe
Token: SeRestorePrivilege	1896	wmic.exe
Token: SeShutdownPrivilege	1896	wmic.exe
Token: SeDebugPrivilege	1896	wmic.exe
Token: SeSystemEnvironmentPrivilege	1896	wmic.exe
Token: SeRemoteShutdownPrivilege	1896	wmic.exe
Token: SeUndockPrivilege	1896	wmic.exe
Token: SeManageVolumePrivilege	1896	wmic.exe
Token: 33	1896	wmic.exe
Token: 34	1896	wmic.exe
Token: 35	1896	wmic.exe
Token: 36	1896	wmic.exe
Token: SeIncreaseQuotaPrivilege	4972	wmic.exe
Token: SeSecurityPrivilege	4972	wmic.exe
Token: SeTakeOwnershipPrivilege	4972	wmic.exe
Token: SeLoadDriverPrivilege	4972	wmic.exe
Token: SeSystemProfilePrivilege	4972	wmic.exe
Token: SeSystemtimePrivilege	4972	wmic.exe
Token: SeProfSingleProcessPrivilege	4972	wmic.exe
Token: SeIncBasePriorityPrivilege	4972	wmic.exe
Token: SeCreatePagefilePrivilege	4972	wmic.exe
Token: SeBackupPrivilege	4972	wmic.exe
Token: SeRestorePrivilege	4972	wmic.exe
Token: SeShutdownPrivilege	4972	wmic.exe
Token: SeDebugPrivilege	4972	wmic.exe
Token: SeSystemEnvironmentPrivilege	4972	wmic.exe
Token: SeRemoteShutdownPrivilege	4972	wmic.exe
Token: SeUndockPrivilege	4972	wmic.exe
Token: SeManageVolumePrivilege	4972	wmic.exe
Token: 33	4972	wmic.exe
Token: 34	4972	wmic.exe
Token: 35	4972	wmic.exe
Token: 36	4972	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 4480	3748	Dream R6 (1).exe	86
PID 3748 wrote to memory of 4480	3748	Dream R6 (1).exe	86
PID 4480 wrote to memory of 3544	4480	cmd.exe	87
PID 4480 wrote to memory of 3544	4480	cmd.exe	87
PID 3544 wrote to memory of 3100	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	89
PID 3544 wrote to memory of 3100	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	89
PID 3544 wrote to memory of 2064	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	91
PID 3544 wrote to memory of 2064	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	91
PID 3544 wrote to memory of 1896	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	93
PID 3544 wrote to memory of 1896	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	93
PID 3544 wrote to memory of 4972	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	95
PID 3544 wrote to memory of 4972	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	95
PID 3544 wrote to memory of 3952	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	96
PID 3544 wrote to memory of 3952	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	96
PID 3544 wrote to memory of 1688	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	97
PID 3544 wrote to memory of 1688	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	97
PID 3544 wrote to memory of 1572	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	98
PID 3544 wrote to memory of 1572	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	98
PID 3544 wrote to memory of 1116	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	99
PID 3544 wrote to memory of 1116	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	99
PID 3544 wrote to memory of 2260	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	100
PID 3544 wrote to memory of 2260	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	100
PID 3544 wrote to memory of 3792	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	101
PID 3544 wrote to memory of 3792	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	101
PID 3544 wrote to memory of 2268	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	102
PID 3544 wrote to memory of 2268	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	102
PID 3544 wrote to memory of 3152	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	103
PID 3544 wrote to memory of 3152	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	103
PID 3544 wrote to memory of 3752	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	104
PID 3544 wrote to memory of 3752	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	104
PID 3544 wrote to memory of 424	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	105
PID 3544 wrote to memory of 424	3544	2338c854-cdc5-9378-5d3f-23d937174738.exe	105
PID 424 wrote to memory of 4368	424	powershell.exe	106
PID 424 wrote to memory of 4368	424	powershell.exe	106
PID 4368 wrote to memory of 4592	4368	csc.exe	107
PID 4368 wrote to memory of 4592	4368	csc.exe	107
PID 4584 wrote to memory of 2536	4584	chrome.exe	114
PID 4584 wrote to memory of 2536	4584	chrome.exe	114
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115
PID 4584 wrote to memory of 3564	4584	chrome.exe	115

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3100	attrib.exe
2064	attrib.exe
2268	attrib.exe
3152	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Dream R6 (1).exe
"C:\Users\Admin\AppData\Local\Temp\Dream R6 (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\system32\cmd.exe
  cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\2338c854-cdc5-9378-5d3f-23d937174738.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\2338c854-cdc5-9378-5d3f-23d937174738.exe
    C:\Users\Admin\AppData\Local\Temp\2338c854-cdc5-9378-5d3f-23d937174738.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\2338c854-cdc5-9378-5d3f-23d937174738.exe
      4⤵
      Views/modifies file attributes
      PID:3100
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      4⤵
      Views/modifies file attributes
      PID:2064
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1896
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2338c854-cdc5-9378-5d3f-23d937174738.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3952
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      PID:1688
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      4⤵
      PID:1572
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2260
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3792
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2268
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3152
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious use of WriteProcessMemory
      PID:424
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ud443ji\2ud443ji.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4368
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES953B.tmp" "c:\Users\Admin\AppData\Local\Temp\2ud443ji\CSCF4D23BE436954795B187818679A2CEF.TMP"
        6⤵
        
        PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8fe84cc40,0x7ff8fe84cc4c,0x7ff8fe84cc58
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2100,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1996,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2236 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5000,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4728,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5360,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4936,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3208,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:6952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5512,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:6956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5504,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:6964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4356,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:4720
- C:\Users\Admin\Downloads\Dream+R6+(1).exe
  "C:\Users\Admin\Downloads\Dream+R6+(1).exe"
  2⤵
  - Executes dropped EXE
  PID:7072
- - C:\Windows\system32\cmd.exe
    cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\2becd3f8-e549-a632-8681-85f4c0450bbb.exe
    3⤵
    PID:4820
- C:\Users\Admin\Downloads\Dream+R6+(1).exe
  "C:\Users\Admin\Downloads\Dream+R6+(1).exe"
  2⤵
  - Executes dropped EXE
  PID:6760
- - C:\Windows\system32\cmd.exe
    cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\7c3fc90a-a482-d63c-1760-0aa5e8bb0d9e.exe
    3⤵
    PID:6344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3172,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3548 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:6968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5356,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1472 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5628,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:6276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3184,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5552,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:7088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2808,i,15249390927497996704,1221043668211368794,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  PID:6128
- C:\Users\Admin\Downloads\Dream+Fivem+Spoofer.exe
  "C:\Users\Admin\Downloads\Dream+Fivem+Spoofer.exe"
  2⤵
  - Executes dropped EXE
  PID:3892
- - C:\Windows\system32\cmd.exe
    cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\f8e1bdd9-9eca-f38b-4cc9-261635a71975.exe
    3⤵
    PID:4068

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4940

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8ffba46f8,0x7ff8ffba4708,0x7ff8ffba4718
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:6376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4184 /prefetch:8
  2⤵
  - Modifies registry class
  PID:6384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:6676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:6364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:6372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15192914523203590137,2041408937737250211,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4876 /prefetch:2
  2⤵
  PID:6204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8fe84cc40,0x7ff8fe84cc4c,0x7ff8fe84cc58
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=2028 /prefetch:3
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3676,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:6740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4664,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4652,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4352,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:6232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5204,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3684,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=4332 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5448,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5084,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:6160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5604,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5552,i,5102109515904733998,9147381605456595635,262144 --variations-seed-version=20240820-180103.614000 --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:3972
- C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
  "C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
  2⤵
  - Executes dropped EXE
  PID:1536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5084

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:6204

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:2948

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:1832

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:5820

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:4888

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:6392

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:7072

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:3480

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:5920

C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe
"C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe"
1⤵
- Executes dropped EXE
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
efc82f8314de2fb0909127cebb38a019

SHA1
ffeb52cdf0bffa888270847d4981cc96ba448c14

SHA256
9836d53d4914279fb42e48acea940dc78d94b2ba4866e0731a528c65ff131d2a

SHA512
89d234d0dbecccda14e5fadb343a7b80a4ce464e270d1e17488b66bf707da13c0f0de30ce9f4a20746c5951c31fe776e9d618712fa6a842749555dd1cc2b0866

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\93b4182f-9480-4f28-b92c-0024ca2d5f9e.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5313e4e4f667a8fc9b65406f5a843d8c

SHA1
597c6aefbb2f0f9640673631bb035ca56403e6f3

SHA256
d524014ddb42b58a39598f0122593cb5c2bb1fa9abe2548964072c7f62c43014

SHA512
a494dabae248711488f8b393a214a2a4035ad30831bff110a441d946fd27366aef202f7b77df3a3c0c34a3ae1cd7ae1bcb6484cb3915980398ddf0d7ef81fba1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
ed69dfe553bb921ec9154c3b9142c524

SHA1
7cab7a0660df448e61f71242af3ad5acc311108c

SHA256
ead49dff75bc4bc9e43440569cb98cb992664bc008aabfe344a105b401537d0e

SHA512
10e8052aa1c9d02acf33cb9fc89d1a140070439a2884836c373c2214c433de95ad95e5e6a83af4a0d280bb4258a52c4986587cd75a5c56b9b268a0d6e87ab95d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
36ce73007451560f92ae0e1baffe3b5a

SHA1
f17ba11e83956b1bb8034ad732e1ecbfc1311a24

SHA256
3e0b4c5303de7f717dda669573b21eb4f4b8028c8be58ff4fe2a683482bae9b0

SHA512
d9845b4f6b63244280ba70e83f71509f2da31eb8e32057ed9c6ac2bc011ad52b3a5437377f82d6a7cb2f24d5664caaa59f08a7b87b7019f4be4ad9e40a5ccd8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
8ee0689b43e2fd7e59457fe3db7a7bc8

SHA1
024feede1c917c85c3737a0697caeda229216de2

SHA256
f3cf36c24304aaab2d3b21a434af7b39a3d0c36d3e92d2874bf144c397778081

SHA512
fd398e04e45a2fd92711da3c3cf7ce8e242da309ea53dbbe338114ced554b2274a499fd1f7614075c0e5e10114a98f66acf662d2f33e89e17f9bbdabe8fca0f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
3972ba58583410a020321ab5deb17ce9

SHA1
554986bd2b18c4943889729a4c3079c31ea5b7b6

SHA256
189425060ddf3b47af467dc4d58fcbd7b20ea445d7727872b3283a321240c1a4

SHA512
23ee3dc32e7d97a6b9c46802401409f3e58236ece36428d4b907d2a5beb240ac9bcd607cd61724debe02d8999208e48cd4ebd4c005f07b10cb6daffd3e78792e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\613fc770-99bf-4ccf-a556-0a166b16d39e.tmp

Filesize
4KB

MD5
403ebbf3b6c65b59990ca7651e2999d7

SHA1
6d6fcc2c5840781f537cc0fcc0321931608e0ddf

SHA256
94c6102727cee331be3b506f933281e0dc3503e68019c6647dfcaf2a46c9d4e8

SHA512
3a807b8737a1206de47c316bc84b603f6509ac3f26d81ca5d84747f652219f62acdf95f74e3e1557a6a54c5f83189054cee0fc33c3706d7be41fb6bd9afd0983

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2d85d68c96fc82168e9b176a6c237b14

SHA1
295ef0b405bc6807b9a84d7fa777b4724881993f

SHA256
6f28906f27b44a8daa3c7501bbd63af8807e35fbd0155d944639bd321d6038f5

SHA512
9e6e559224cbf4072545a626d0139b944cdbda0e5e1ecef603ba09c74e7d172d9547e3161f02184f74bf22f0e27fb22f1855f41ec61524d821a057a8d8973b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f36418d07e583e09f07cd5d253d80fe6

SHA1
b4c310c2bc6e1f981eaf885d95d32054f45c29e9

SHA256
82a4be6465f71859ffec0ccd73a45c00a7068f5aecf2d385772427adda0377c3

SHA512
1eb6cc0d9bd138fc5a55ae6be0c6c6a74660a70831810258ba6f342f75ef7626a9cb1cb439182de715ff79c7fe94ab219d6223934f60b4bbd54035678cab0096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8bad6032c03ca977b6377cea8714bf6c

SHA1
69baa74d30573e701e6166a8a424a495c3ffc393

SHA256
24c30e16668c0911e05ce3bcdb74ae6b3b8e1445a0e6c963497a686f3a241f79

SHA512
bf984fcec732c7105cdc5dd7e14b088989bdb8c48fbaa8255d4e3fbfd75b4a8f7325b16c461cf1f18ccb63d8c8461acd2734b9c13274e626765a3c107af53d34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
281bcf7387b1e820a9e6b77fd8d61124

SHA1
a01031eb49dc5f7a57e0a00cd4359f75a054f3ea

SHA256
b01f9ec226d737814795d2b1e021dea63d3c46026934e124190dbb90b416b5aa

SHA512
e9b0a9b3fb2e4b676426e322186981e8e70340adac62b9326c7b498de9b58f96d41239dc7d4e9b99a4965fbf5604025f1782bd7af2a0f75db2ec7790598f7e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b803278200cb27425bb408bf87a49e0f

SHA1
81b71721e2d09a1eff078080b394c9da112fd6b2

SHA256
e128446992aa07e7d478f11fff98b84443d9b82d793536cd76017fc7e51a1a38

SHA512
366dd85f3540a9fc4538a9a6aa4ffc18d230a79d512b6f04a985cfed2d00b6ec8ad091ed642219d4e1b4ff881687fd7bdd575e9a077853a16690af531a904082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
ef4f12eedeaf3c51b820aa9a5aa46e57

SHA1
b72e659e962fffa845001b018f9d2c6f5f218956

SHA256
577aa9b4ded4df0e9c8cfec16d727e49ac4103208e2eb4a032bd1b56cacffaf0

SHA512
7b8d2a2140889dcce50ecad8be4629c5105e3261dc977bab2bec31f767180e6426bb86daae960c75da58293f611a70a25532e85f36ce58637a40836fc5fbdbe4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7fb323c6e2e39a5bbed725563704b0fe

SHA1
faff78bfb1bca2b603c9b3e63b9b581dc74a7ec8

SHA256
520171a2f787969b502be0afb120a9d6fc7d9d39f2d5b58c3807ecee84deb45f

SHA512
9b2039d716b1f9dd2be5ccc1cc8e76842064121fe9ae9a6c40b8b3db336403900063e6408ead47c9b214d7e21505943cad626174fc60855ce1ca3c5a056e9a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
b4be0f0ae55e573f2fe8290d06dfe99c

SHA1
53212ed8cfad6aa6689db90fac0b5a6f2524c879

SHA256
bbe80b4cece8fd97f515a9c3d9aff5897fa6d2b236a896dd70950f32746f1afa

SHA512
578570f9e1fb295dfdff62c0bc13bbafdfb1958bbd181f96658c752d28f85c2e04d4673c67d7536633810c5ff2a290a9b79673331b599d1deac08cb70ae4f0c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
eef4b1e221620f4f70148e6ee993d0c4

SHA1
21f7cfc01f5faecea04bab5968ae605608357884

SHA256
6a0acba6289dcc0bb3dba8264aff74923a49b5ca292af8e7e1767f6240674ecf

SHA512
a35dfaded7665290995c2f344921ef2f96dafbd9cb8324d92a938edda0e0ab2640928e45eaca8d418d9d716f848ae6cfc134b74c100901cb2df23c9e817f7140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
aed1f5506d26bcf904926c5eefcca0a1

SHA1
0cbb55f462c2d0d8f37b7c605f17dfafadf22788

SHA256
08fbcc5c88aec28f17f8f19f86add4898fcea31fb4f8f81b8a47b8027fb40b3c

SHA512
c2b13a5b6eaffa557b55784ebe8f85c3778b4b82781d92ac490ff0ff0e84c2e33be802d73f1b45d540c066d1cb9be2f11e6057d70ea76c568d26419637acf124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
6bc81968987d4b08a333404e18411806

SHA1
be58bd0e44b76cae73d0b1ca412628bbdbce13f4

SHA256
4b5733eee3e63d4ba7f0895e6da9df125893d9f842238883158fd18fe4ff462c

SHA512
36433f39687a5ba856d2e492c86684341e4e8ac3bb0a756a4525281124af6cf00c6929ebae25d36285e98c9eb97f3f0283b63f533aa15801695b73c8ff883df9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
916badd5d8af56dc70e31d2fd125329a

SHA1
2c5e0cbdcee8dc1d20112a2e617dd74468c7bc7a

SHA256
79cff7425af0e86b1d78682cad576b29ec953ec004617d905da5013e6fe3f050

SHA512
276f07e21271181d4f4eedc07fd3d19c3d87b4430265f5cddba31253308682deab6edd3272d175e8ae4e6325442c529ea831d58ade4ca7245c21f4a26525b57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b567d00a248d728bd562f85bd7b62fad

SHA1
a026f2f966c8e12b3a4b894dcb6820eac8edb653

SHA256
48f488df7bcc907269953fedd3e8b3205322ec987d9fbe238cbdffbafcf09640

SHA512
2b6783a2b9012ec45ed87b176a87725e87f3fd13c5165f4df7698e99a9d10f8230012a96db933d3c2aba5bce90a2efe341d566487fdc7df6b5369d60c28687d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
79582e5f9f7e2f0064f922c1f7206d1f

SHA1
ea9f09853f475d5a5f89108c72a8d3123f6197af

SHA256
6a36a6c796bada0ec5e21511995edeacbbe0c3c5a135f894d5c641ef69b4f944

SHA512
ebf016f21bcbeb9eecc0805312345a792e563b7ae0e8c7133e24468f25b6c6f76a89a4adebad4659d4cc4d81e06bef0d9f14114995496ca5342bcd1bb528a24d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1794be73e101f3e16af0970baf688218

SHA1
d103c73379d90499b6c8ca7c4923e14008d1ed88

SHA256
741020d1192247d22b4dd559bdf342921f2cc073a1b6cc1f1ebfb51512fcd68b

SHA512
7a8f72a1efd6db96e121c67d38c8c07d37cbfd55734ed80d03249fe73f4536a75f5b1df349be052826e8f4d10b31a53e28381177e820a277ec15b58e695f946b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f66b08607cbd3fbe85ba2aff56d3474

SHA1
88deb8221704db1d05afb55726c9e6ac482bdeb6

SHA256
2843f4c1ecc962a87bf0662f32db5b0a2a8eacba18359fc0d7be86ae3b548e5b

SHA512
d1a4ee4c64b8a2aee65b055377ca837295617e69710757c2b328138b70932727dca8a05ee8f9b53ca2c4a87f249de363e0b4bca80e6fc29e812006533e5ef3f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
06fe38e1796bbfb03bf9bbb735d6b126

SHA1
92f03570a3741a8461e9b00d1e8166a68689348f

SHA256
064cb1ef64bf68350a2ecec19ca1f1b48415409d3213d02888fba6ba8c0f5120

SHA512
c939d6c86c860a499b72952d5d364e474893b71f7995eb5585c406fedb77bc60d40be356c431b6865bb505dd656bcb73084c8c1f2824ee29ab4e20a1368041b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1251d971a850f82175ef65bc0254770f

SHA1
19a93a1d6da3f2e657c448d8442d33a7b80e4972

SHA256
808ba649eb4c10bef06b0c34d9880188c2fbdfbf6622af1a92ee7da2664d2ce1

SHA512
d4fb8405984755fc531e9670474994250e2f46590c97628ec62fe406fef544a7b0510acfb8d1cff7c4297371d3ccd52ce0840e9bfbb4231c3bcc86844e4917b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e1b24a73f0c499fd97f0b37b416a13e6

SHA1
389875cb484f978c8f2b3694d0a4beb11d081b53

SHA256
7b00b44c5f17c5f7af27585fc31fc0379f6ee13f99be1c32624bbd665cc25479

SHA512
894b6555498396fdfdb808bb7e4783e5838e199d833b4f7d225eb9e02b0e63bd12cd262e1aea712c30357db4f1a052984e5e36eda0a04e6e46acdd89ea3b992e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
738f8f565dd8aa0472d3cd9b71380716

SHA1
100b19053d40ea8e2fdafd20124b33282c550a88

SHA256
d0a9926f0d97d22c263ca69d80152b128afc90057d7004b45e68aad822eefa1a

SHA512
787f2671b139dbd1dc4de9c0e5293dc397d30d3cc038dda5a41f569270183e01305aa30a06226a2825582a3845052915f8fd78859db88b9f5fc9e53c0555e974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7a126fc1c10dcf85e0bdb6fd3e12ac8f

SHA1
728fb7d1eb1bb926cf086ec7d97a0aa1892d1a38

SHA256
d029b0fb69288ff9e3b2e7bedc21f2bc86bb2c683a1be914a38f5d14d2ad05dd

SHA512
2cf37c0cffeb230793eb4252948e4994052539839a726f8515313ec366ac643d2ebacc8eee2d8b426a5b89692e9beb021de066e79c5d6d36215f39d7511bc7d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4ecc14f1a0b792a0ead2fa963bf176d

SHA1
96eb0ca54d83fe2d22101499dfc5e33b6f464654

SHA256
7790b148a8b95d7e0c94a1c398dcc62a146d931f09ed7a4d84cbbe25514dc5b4

SHA512
994320c35c93a4aa52f35d6b29113cf3d8c047a7338a54f0595b33099edae79573cccea127cc1ab533a120bf85c07ad62aac9852db090f5113770d7ec809f5d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d37a5235fbcb8846f0b9fc3a4df52f7

SHA1
f0bd6762654777ef502ccbe5592d137d893a0355

SHA256
4366341a0df30401560914e7f2ffe384a5968f2f9e7c2056f5e8d49ab6381b31

SHA512
25d492065c3578612bc2861f514f41d46604f7937c078b21ae5e7c833f3efa286de19dcd6d50c48a8c6f39a81ee91a38755e59f82522b1384327fe3a9821a2d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
402cd3eb0d95a8e5c86c86ac4f89458b

SHA1
5d7d553e4facf53994622da3d8edb98475ac3c9a

SHA256
9bffb2489474bf8effe86ad047506596d18bf50635b7ff3faa829170403529ef

SHA512
4ed1d60bc0b9d2c7a8a089b33eae39dfd69d690a5feab2ad2a1a0dc85d675745c8d21f506cbdb67efe608269c4fabb10a6f12d819a4d652731e6657012e85a99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80bea4fabe48947a9c35724933364d38

SHA1
637a8bb30bdb00283f819ae26b440ce017c38888

SHA256
afb89c3aaf68451eb1c881cc77f8f03410e7beaeab489aae3b226dcb505b4be9

SHA512
73f7e9169411bc8124aa3104d065c9edee4c55f02e57c6f6472328268607d1c0cd5c77d5f4ecdf2be7b3f53442104812988bfdc2d07d153dda1a42a78fae15db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bfe4fb9f735c938765edaa45300ed5c

SHA1
e5cec38b3b839327f9529f3cb74c4f8dbe7ffe9b

SHA256
b16c54d3fd87e6b08d535428c3348c9fb799831d79c656fc0935968973e5137e

SHA512
4687c602a4d5d22babe5fd2aae3d83eeab58821752287465bbe045c0484c1da92571854cc1ac4327575a10cac4a74057bace3b3cea5a6f9a28c1b4cd494d3a9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e91f4927a754bc7ad3afbd5fb148b00e

SHA1
42fdfa2674473753c1d1e6a014bac1659ee4d84a

SHA256
c7c10cd157f475e3367204970255474ff661b0b14ab617e02802ffaa1835536d

SHA512
8f71ac0bcedf73b8b6ad09f14eb9f3c439aaf55ae93bc4167636fa067283db9494ca47c4f714189972fda8614829e333ec80a61373fa354e477b1c637339eb93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
32ea1eaec85b49ad32558537e0f3ff29

SHA1
171c9622dd2fc103a30f0c75843ec2a8b28c0a21

SHA256
a52bbe0a6f496446d3e9a49b905a0dbb127a048e6ba2f85045c4dbc18a8e7333

SHA512
16a2ae7e2ac5e2e3d6a71e4ad011b3038295f4f162c4be80e9283179e417812cfebd9d3486d21caf7914d7d5b9bb567d2123f53ca2fa8d34ff4acec250b20433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
627e5659f4dd16b6d3a0ce9ceea340dc

SHA1
e26aae827c3aaf66f439b57a53ce6b1d33fd5fa7

SHA256
87142a6146aa0f1d0b42e07e3b4e18089441b23390b78ad275b9a65bc3b83105

SHA512
254aa1b36978c95bbeafd51c9655820245d42d6a82bee7d34fd321557940a29e9deaeed254537cab98191e7129bcb87913dd6a95db14146166f92133930938a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f5236ff2c1044f490ff13f24c39aa611

SHA1
1f40621ca45af1e631954f87c5dd18be778143ba

SHA256
0dee80b702ed53ca3a984eebe91aee5cefb0c0cbdd16a5c02f84aefc5bc17c21

SHA512
cc05cb25061046b3af52c7b7a5fcfa00e4a5ace042ebb8de03c6d1049deeb7d4c00b95dbb0d97525ba1ed025901963ae6efa1dff8f645ff5384ead5a019977ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbeb8870211b50f44be3360fd905d392

SHA1
a6dd19745ed0d6140a21672771cd469dbaef702f

SHA256
96cf2b093e61226637ffe068cf3517d81913759130b82eadfbe1344c34786ef9

SHA512
3d43e094960241a3cccdb79e98d8eb9891924cefea05eeae5b5651ed4dbaf9c0d83078489c282607e23d85c7d4a979f14fdc07c1325465d9e88dc02508f4f9b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f31612496dae72899ab493d0678bfcc

SHA1
8d9c86690bb2c3889dafe79c465714842f7128d0

SHA256
eb8080d0506b8ab14679e0b445de16d1cf65c7d6d25531abde4e5af64b737884

SHA512
0a713c52a605034ff8013f6e50e304a897760497097a8cb9d2a1118bb76bc8e8c9fd7f6470b723a2994fbcacf479a99414c1f1db2247a10d7824667d732001ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3ea8076717929dbb420eda2cf7fe233e

SHA1
a7f00b8652fd239aa16947a84086f601e9ac18ed

SHA256
4252cec61be541a647bf1c3aa814f37a1f056284b82368292d3b0e82f78c49aa

SHA512
af01cdcda1439bdbab9b2cd5ce4d3d8291717eb4c015a8362a26b9c6cd41e0ecf67c6b93dec03e99e0d4a0d4c9df48821395a7e3a803c9ef5ee8c70854b7eb48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c504bad22c5afc845e4bbe1dc70cb64d

SHA1
8dec730a37b673ed8e359bd15e5f16c4b90657bb

SHA256
60b8fa9de8a2d19bab46dc4098dccf2042da95047b08b3a68a15abd7c18ed00a

SHA512
5e29911d12879993294509e0941837cb687eca2baba6a7c1cc4e1fb24b2620fc3bc955cf4957ea98257827b85d979ae320837cefe7e61ca53a47924fea620636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
38dc58acdf8051ac72555902ac3f6924

SHA1
57126e0ecd8e72e7a2d32e440b86203c00f9844b

SHA256
b03b31632fcc2a2810ac4e8c34bc36de97fbfd928348350f1662442e222c8a95

SHA512
2268448ce7caf75a172d19595195499324b394d8a797dcc58a701b859dd0f3001184523a6f323f3b656b65cfe9bc3c1eb8a2bc9b9acb79420872f27e65e151d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
43601ed1fbf743ff3dc8b79a99a8a896

SHA1
ff875a7c2a02e4ae60d634c1f796cfb9a96a4e13

SHA256
dd6f0eb55d557d1ac50ef89fb7364291100bb5505b695afb944f2602355314d8

SHA512
a2a88a2180ddb4d445964aa67cdcbde83543d9c1449e4507f1932e57e9c48f005c12dedcc8c76dd79c63219f88faf94488fc53b7bfa99d661e4a4ebfc5fca4a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b90fc2c5294d16757fbd08015b7caff2

SHA1
2e67cf29b89efbf249036e4b9c34627e49c7db6d

SHA256
68d8b7ad347f19f0a910e09ca533f6e149f3fba6db2bd1cc878239977d34e7ca

SHA512
dc7ea2e3a92e0d1f1966a727f8e0861b2131c4cc219aff4fd7c03a367ed918948236be23c3966da4e85aa89621573dc8bb8cce1b5b21a63d1013e8ded97a2572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e3599caa28d95850e1f24c0083c55b8a

SHA1
982da252cd3f15caf8897651b561473824e87c8c

SHA256
b831e27bc026d5801694f1446aae078a4ceee56e5858ddda56975c7e80689a16

SHA512
0f572cc5bd12f9d21c0bf613fab6d1437d617221cca839467b846f27815d6bc36f2e46b8cc1c7a75556e9ee076b53b2b17f125151378b6a6c9dfe1ad6cc7c84c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
626daa213ede8c628359fe7ec914df73

SHA1
e63742d76ebe3d1333a36b9bf63e5d91e14d4e2e

SHA256
6c7fa9780c88b33d36169a1f479056ff2af6cd127f8ce08357ea3fb0b8fcd777

SHA512
6461f2d1c377f35e5329dcb9c19df24e9d6d279722fb4570254429a2810d341d3d80efe7d54ada677953c49913276240714a12a66dd2ed10f0f7c5a177bdcc62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
111d7675c0f0b159551d4886a5a6cea8

SHA1
438e1cdf76b551b314337a4a0bfaa254cee4ae17

SHA256
7a97afe36efb985b66d5e64f009839877a65f113b411fa1e098c44d19270f531

SHA512
46be6fad65f24cf058069211041342fab96aaca8c1bc07c4a0052ad818bd5bbe0b811b5d07621647517b7ac6266415acf9e1c954b221428a320502409e682c6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c1b77a61ccff87096bc4cff0d3f1f958

SHA1
98e70ffd449dc597826e9afc1bc06ee7f408b0f5

SHA256
15aaf50b371eb97e29a583c013d123ffc6301d573a7977a66fc2d04e7949beb0

SHA512
ac0ce64ea995cbb232a6bfb81cc97316883271e543e863b6d7103407d012d70009179685a37e9ae9194f38bf5f7c239114e7dd0a1f25df8e0c98e48b5c665d62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
77b3b8ce9b4c3afc57c9143461db41c7

SHA1
f80898cb7f90b7583b949924f2b5392750b9ec1b

SHA256
6097927af0fae3b483d0505da79a43798689ed4d237e4d9d8265782a840f482b

SHA512
038bd0c8822edd42184c9c3476e2597eee57629f31ce8ea2681bb0034f89bc95a56ddbb1920abb46cd6e01f0ad383043c8ef4936b1fb5f53e4e2751071a71c2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5eba1602194cd65d00b8e85e0ce60f12

SHA1
462a89381348c09476c7084cd9b35a2328258864

SHA256
437cdefb3036b03e6a0aa06336489f6ef41d64bba1c4b2fe5bd8acca2c6bab33

SHA512
d7274a524458e20c964d24d01402868e1b70ba76f4cf3fb591b2e90445f6da4f8ee6754daa5a8188509e8373a6ad31a44486d11f9256c4e3f3c6087190fa51d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48f1708400d6101c124c7845843fef12

SHA1
91064ab7b53a2e98f38015ecefb44f66623f436b

SHA256
8806596b338a7a2a3e29af07b7c4cf1861b8d8e8f81acdabdfb309cd740195b7

SHA512
f9a9f9ae473f48a6a0fd20054144b8894b416faff062b6c5be64995edfd4767a30e82605bc8e670e99dab99c8e3eda6ed6cea1161a500f88a6b8febbd07ea661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6cd49e73b3375fbbf0c128eaeac2cc91

SHA1
14175d024f93fb30a025cc5ce450b9e9474488f9

SHA256
e0ca98e666a21de4ea94219c2684dd706fdc18974743eba87b214b373076e63f

SHA512
5a854f79b52fd445c4a21f535165df89c39ad40019c1e97777b291dcdccd9c8457a7e5d5ca9e6a4973be37640610f46bcf581335aa9ed46c391aa33e490bb968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9dc7cf5ebfc17f9a649bd35705a2ba14

SHA1
a80c19779fa1cd865adf968ea2521bb3dd4f1dfb

SHA256
c94422b221a4a31d716189f80247998845fd9716ce77f32d2697f30d94d58e0f

SHA512
0498743db12f7d5c38f264b865cfe6d578a44e106d0027a811a55269a38290b02e6b3ec673e6e0ec8b09b6c00b184d9be28a77c3ab68f127b286366abab4be66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cb463c79-b86f-47dc-b743-6e53dc72f87c.tmp

Filesize
9KB

MD5
a0809d17de0d9aa241881c34faea24a5

SHA1
ead0cb6e7a24d2627154b520ca920f334ed58902

SHA256
9627ca574b22e515518cbd6b7b8f48ca656183c4ddaea1e84fc316d7d5bdb534

SHA512
a26b15c36b4dde8e47b02d633422eb63c66d940e7196eefcbf287df903a3dd080fe7844fcb65fd90417dce38b44c64bee09cf47161807c9ecec75ada01ac4e9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
f681afb279223e6ce8bd6ee69b00b401

SHA1
0b6f28c9ebdc6b4eccaa7e999b7a2342670cd647

SHA256
5ae15b3439b10520c95d39408376923181663c5c6e5674ace6a58057b61cab66

SHA512
fbabed67e886fe5d8f02997c19e71198dbe3c1d02e80c2d05e707e2638e79dd7ebfbee3c233e57f71e286ccbdc171fcea46f11b36bba090d12188d7183e769f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
7ecad0d824555f27b9f9477314749b67

SHA1
a3410df3712d80705ecd1e006b1e9ffb17126ed7

SHA256
83c9f7c47f275f7922a25dbbded8ee58fd2950c9628939907b8c26e8d9297556

SHA512
071e1d13afde0dd8e92e0b4effdc5be311550075f66c318eeec700a49000566c841581c766bc5e9a5aec43eb073f8a80d3fab59fd56e96705d1c985f252cfddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
106KB

MD5
164915b7a4df375f0062ddbef222b048

SHA1
cc12ec70c94b3356b9611285f228094fd929f08b

SHA256
d6474ee6de092ff840e1f8bdaf594573968328e17daef89316dad966106532c5

SHA512
744278a0214cae0b26bb0a8d1d1e59361ba0592379baf1f50ca263366a289a2f9af68ba761342f069c5a9dd6f7aacc084867711505f1e81e0d4af1b0faee795f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
f4e75061e4e8d2113554808d3154a6cf

SHA1
197c52ecd62eee60a94b33fa5d8de4663314b0a6

SHA256
4a848ece4ba440b52cd8f2d1c4bd0ddbfd4f820366f70314a8a8f47b92992704

SHA512
8ee25f24c5f15a7f85cfb97452537a17e420a16456de81d033b7f52ace2f740ecc9002001c0a1f54b65a07ff266f1651adc92aa8996ac4158debc4fc9ee3561b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
106KB

MD5
dc32174c1cb3ff667df5eeabd7db7be0

SHA1
1374fbe0138270ff2c561fc68907fa090fed4575

SHA256
e028852317865e0e232b35a87efa64405c1195edcaf7c598388c63a649a37192

SHA512
19362d1c869056badc30aed856762e6070ded3fc8487a9aadd8187784c3599be297c14d2deb0681e17b3abc22602be66f012d6e804d67a042e75679e33ee299f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
6e00725f0fe3fa139e4237f0e047ae84

SHA1
212587fa38a9dfa090efebb2d8a4e4235f9443b1

SHA256
615b9df04df0853dd1dafbcfb790da582dd8c5cf32f5203b297a8faee03577a9

SHA512
0418ee105581c9002522d6cdfb58fa0ab15e4c94de3b295d0db8481eacfe5a000bdbd2d77c7227c50a513a99b7d91fee014b3f708114cdddd70c94d1db54b224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db

Filesize
28KB

MD5
c9d773515fe18e7e332e78b6130a5234

SHA1
8aee6a9ddcb8ba56e07eae95bfbf01074cb7d582

SHA256
dda9f7ef01645a9440956e2cc6fbd7c853568afa9d2ca28a848336c59eac2912

SHA512
48a4b998a69b20269c4f6f6a55ccd562d2a7157bda4a9ffdbb1b5f01c9334b89923b9958f979035cd035c8163b9296aed0744977c9e500fa755505efb9eedcf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
36c9cb69fb129bcdf1b1fabb6ce983c8

SHA1
f13bd83baa7ebc487dad6b7ebcb21368c40d7544

SHA256
102393e3523fdf651d6238f83233dcde4168d8297abb8c0e0d3b51d8374cf9fb

SHA512
04f679545dc1757eb515fff8a319e1c719d72e1bc1d2027b247c117553d913d65fe92efaf6f283717e65d2c6b0054394c59df2b3ad643704d3cf57a61b5534b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
82a8b4ce3240afae3304c4b20f460b74

SHA1
e8e012ad94cbb85cb13a173dcf29a1315ba7c39a

SHA256
f977aa94c0fb2d3f847db1039b983411443bc61841ad55fb81f795d8f18f0d16

SHA512
d0fcca7930b5db2b521af11917235e2629059dfc973cb479c51f60835776b8d59a37e15a51cc5997a8f5084ed70f14a7187be040e7cb9ffcb0068cfbfa7126a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9f0fca6626b6801edc3c95662fd99ec1

SHA1
9c57d9894fbf3f3a8aa73831ed6575e410835c4b

SHA256
754b95d0af5647b598df602a67b4050a5d5f142cd29480b1ca30c4aef4468cf5

SHA512
69bd8ecc2e8d639e3bfd7355d0f57f7685b562deda3690c4e1266173cdd858a6cdf2e330f7f9c6c2a70a0b482e24a0bae93b631248c69857785a17100a1e847a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ded75dfe378211c55c6b01c98abe81f4

SHA1
a7e95987fc5c5cd70c82e64ef37e8e5b1cf90ea6

SHA256
2f0f1f862e282eeb8e955e9e7fe6948ac80d6bca11dca749b39c012b21682186

SHA512
081e70f9351074e34a53a247a578203a0b965786a4841c6bcbcb46f66f08f134f818f7818a5ceac4e581803dafae9e28fcd43cfb38da19a8fb2126cbce85e602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf154dd4148b937dda03b8f1e2471a9d

SHA1
2aa596670c10e57881a3bc98b4be37fa90f1990c

SHA256
917370a1b34181048cbee2ca997e74808d0b65ea9e0a29e0ef47b3b18461b384

SHA512
6fd179c1e1610891170e9c46174a65f1ce5414bac62f0de906c689aa84b008126e9e9c2d6d566d47c5ec5688992878f86659f69ebb6871f5191ec9ef6e3e02db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ea9668ae36fe39a9729bca2909a4da47

SHA1
b2e230afc37c129182d35d7de094989770347844

SHA256
35c9f72652e176138ade93149f53430800a2f036ef17abc0c29d1d51070cad78

SHA512
e55bced2fe0a455a02222593d5bee9d30dfec7eae14a11682a67e55f73af54418c12ad62c25589347f41646d5ab78670c19e34f580d1d801f62ece64bd729325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83c7f8650163978a53aa52fc9368417a

SHA1
6bcd89fbb447c293c1f0f0c8c18ffb3d021e6cb7

SHA256
aa48911a31b1b4f65ed9c41c1a092c2cbf425f3aebfedadc5054271e6cecfcc7

SHA512
34cd3611f8164984bdbf5e189936bcdc0d662a67cbd94779985933b2d371fbe441af26b1c1c9155e1ca77d230836800340036aad54a34de42c245c018de1a471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
95003e3a82529b786d2f8cf98354c4fa

SHA1
571e60d977785c78b8dba9056e4aea1658159cde

SHA256
d27172ca5d200f0381df7d08cb22fbaf80187d80e248185729d871c8f237dcaa

SHA512
574a781ac913af21f0d98e65c83cc16917fbb000a70f27fb5a09cb234466d5919abbf0437ed655aa091a997b0414d58bf4466bd3b753cbbe6ae2ceb0b7ac1b9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4b45e1bb59e65477efe6e830c3c20dc8

SHA1
37df96715728b3356de730c0a0eb8cc3c77b3630

SHA256
a5fd70321bdf0fcbf19e6ea5cd15e7d29b218b8ba9e51cc7b4d6754cde723e7d

SHA512
4a8052f9a760fdbf9e2e539f30a016111cf7cc164714736993accb399407827602c79898156415024c98cb35c4cf114a102dbb089329762237a30af769322ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6652ca441d09427274e63a65fe73bd43

SHA1
1f9505d730a24c090d9e13d672e5a761792bc2e8

SHA256
0992cf4e3f7298fb789c24adc3d7b00f3002399585c7b08ed2c76568c38d438d

SHA512
1fa9d1d9bd4d4be8e7ca08fefb977c9a86d3fc59015dffdcef46f288834e3290a0c96518a1dd78b078b880b8eb8ce7e0df1e0d81a92113b85890851cc7f6923f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5aebe81101cdb8e91515ac7e4ee9cc4d

SHA1
ed759fd384d27b8f450407ba684a3d9ed36c24da

SHA256
a8662b61ace9937bbc90caaf65d72a41b22bf7aefa1bd3b0be6bc55655124708

SHA512
81c1ebeda179ed11f85feb09a310c409c7bb3182d1a8aee3493306dbbc9745cf753242e3ae263cc3f3c39abe1b4c38ebf91be3f1e4aa3dea78c2cdb545c0fb0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bbc2b43d5e574fe7d193c6fc0eb7302c

SHA1
f22683b94ad593fd0513fef37df1fb5d0880cc22

SHA256
0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

SHA512
287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2338c854-cdc5-9378-5d3f-23d937174738.exe

Filesize
9.9MB

MD5
1794788462c41d14e2659260f134a304

SHA1
e977afbac54e557b917abe2604eddee4c72fe297

SHA256
8f2f5de00ac8de98139e3c9a802bedae0368714ea3714eba37ef5778bff86a9d

SHA512
941d567e3316a4388d3554b14a1bf9af8254475811559b253dc9428b1e9c2de4d7d1f307fec9719b2c5968d3893d204d5d189fe312afe5913ff17572bbae2aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ud443ji\2ud443ji.dll

Filesize
4KB

MD5
0a7fb3167e6d3ba1e08b30ffc892b942

SHA1
6ae8986c093aa0dce9ea87d85faad26cfa62d418

SHA256
a4948f4ab13c70a1d09f354f9fa4a14fdaeb90c8284429dd36777ddb17a036c7

SHA512
8356716021ce8af5073979e6d3ce14ce8cb11618d2690bb052afec9351607215565142a24c1916f1bde1dce5062be97ac8fa9e3d008962fbca22a25efdc28615

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJyHUbVxNa\Display (1).png

Filesize
419KB

MD5
0026f8d74c84ddc976f64f9e5b5e3b7d

SHA1
d1191401e5ff6d1e90051e52b5f1922f0a2c10a4

SHA256
4226dfdfc9d4ffb8d77638ae1a75a0b16d194f3dd07879008027cf029f55c607

SHA512
6fb72b35ade2ab9f778eb8c8ed268ca93883d84714d778947df1ace1dad58d4d6bea1966a4d892e98f68b977bd97f9e629a1c71f971e0532bdcd3c08677d67d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES953B.tmp

Filesize
1KB

MD5
906737bb3fe4ac72774f8b6463551a23

SHA1
e47fb304b898b28792ab35e55d3d544734848526

SHA256
deaefdaf9c8c74985f1739efbdafe8909af8f4e3f7bbdff7d28ce6e39d087380

SHA512
b25d0edca1ec6cee65dbb84324e354dc275d6338d584931267f746fa228699ea9a90846f2d751ffd71c81f77d2230bc83184ecdbaeccc30f21932b7974f556e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2xbjdnmb.ywo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Dream+Fivem+Spoofer (1).exe

Filesize
9.9MB

MD5
31d2912770a4065c5b6ca54d2583af5d

SHA1
a55c84fbe8804dc63ac4e7a1380232c2f490633d

SHA256
377b661d34385f36f13c120b1958ec62dd1f0420709d88671c10029b10393fed

SHA512
ce51c10e825bce4123f198cced81f35205dfe63e10d1ec0b4049a9aad180d089a4a8e017987bf3f62f30608abeb51cb8a3736d66cde4936b804b35ef03ab5f95

Download Submit
C:\Users\Admin\Downloads\Dream+R6+(1).exe

Filesize
6.1MB

MD5
098079241a31077ce464dedd564d5965

SHA1
5a4a1395ce3f7aca2de4eba960e579bc91ec2a07

SHA256
fa5e08c10b5436ce62146da3783126a903a7e1d545f10c1a0984f40daf8c1d35

SHA512
f70f1996406ea498e6e2d871d05803ba121bb4fc3a35250aea626df612446d7d197aba9cfe7293534fd76fcd88721ed406349d74b747c43d2a5d9846866fed51

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 721639.crdownload

Filesize
6.1MB

MD5
b3fb7b4630887a90d8338116cd0de10e

SHA1
03ad98baae48ad54a7562eff03a635eb434979a3

SHA256
a93d18acd6f21a00d8483599e6e36c5702525d23814923e568e9f69a870ee37f

SHA512
dc5cd068abcdf803ef2956916ce4faf63133cd447c1ad5e75e45853d0da270c17c2e8764c325eae118e2ae7e94472fe40eb705fde4ba1f71021ade30c70ddd13

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ud443ji\2ud443ji.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ud443ji\2ud443ji.cmdline

Filesize
607B

MD5
a35f16eb94972a036de7058403945cfe

SHA1
cb64db665b911559d3929cca36735ddd54ef0d3e

SHA256
642f70ed83f3eb3a1e6c3b6da53c915c4487a30e2078b21b5503c226136962ae

SHA512
ce2daa064e48df9c637de3b5b76a047576e562489c13c574776f9591cf1ff148cef531796583bc88a98df5dd89d0cf4c6c1a4bb36481d10f0fb6655981a76905

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ud443ji\CSCF4D23BE436954795B187818679A2CEF.TMP

Filesize
652B

MD5
bdf690ce442adab583f175649b49e9ae

SHA1
3bde259edd19e2c078fcb21ce1a72e1581542385

SHA256
bb73221afefc5c0b3fbfdd1df9ec33cca774df1b78a36e1559a86cd6583be426

SHA512
f3e4f0368427146ef874736a785c2898c76051f285540e01ceac928f4598d57fac707366de7ebd8866e9815d078f67edbab72d4b66018ed2c02d0c4db9118452

Download Submit
memory/424-69-0x00000200FE580000-0x00000200FE588000-memory.dmp

Filesize
32KB

Download
memory/3952-16-0x0000024C66FF0000-0x0000024C67012000-memory.dmp

Filesize
136KB

Download