vidar | hxxps://download2356[.]mediafire[.]com/dmxj06qb521gNWiZ1GXZ_HVXNBBdL5jZMeIGU1TzcbbiROlvNARelnzRi0X7nQMZQKMcKrAX25Ld2ANtIWXGM0-oDQXdd2gSnfapkzpNIMm_2Vda-LPl3m6FgrltmlAc0af98EcYjII-smA-6qWOmUSVSyd49pT3jE3A4iAhjeKI/ok95x08drvy416d/S0FTWARE[.]rar

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download2356.mediafire.com/dmxj06qb521gNWiZ1GXZ_HVXNBBdL5jZMeIGU1TzcbbiROlvNARelnzRi0X7nQMZQKMcKrAX25Ld2ANtIWXGM0-oDQXdd2gSnfapkzpNIMm_2Vda-LPl3m6FgrltmlAc0af98EcYjII-smA-6qWOmUSVSyd49pT3jE3A4iAhjeKI/ok95x08drvy416d/S0FTWARE.rar

Score

10^/10

vidar xmrig e5f25c023529d1a14d80fa58f094095b credential_access discovery evasion execution miner persistence spyware stealer upx

Malware Config

Extracted

Family

vidar

Version

10.8

Botnet

e5f25c023529d1a14d80fa58f094095b

https://steamcommunity.com/profiles/76561199761128941

https://t.me/iyigunl

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 14 IoCs

stealer

resource	yara_rule
behavioral1/memory/5808-415-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-419-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-440-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-441-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-460-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-467-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-471-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-472-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-489-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-490-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-514-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-515-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-549-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7
behavioral1/memory/5808-559-0x0000000000660000-0x00000000008A1000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/6608-794-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6608-795-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6608-798-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6608-799-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6608-800-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6608-797-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6608-801-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6272	powershell.exe
7076	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	HIEHDHCFIJ.exe
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
5468	S0FTWARE.exe
5592	HIEHDHCFIJ.exe
7052	Updater.exe

Loads dropped DLL 2 IoCs

pid	Process
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6608-790-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-794-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-795-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-798-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-799-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-800-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-797-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-793-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-792-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-791-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-789-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6608-801-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
116	bitbucket.org
117	bitbucket.org
186	pastebin.com
187	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6736	powercfg.exe
6744	powercfg.exe
6752	powercfg.exe
5160	powercfg.exe
6452	powercfg.exe
6480	powercfg.exe
6496	powercfg.exe
6728	powercfg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\MRT.exe	HIEHDHCFIJ.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5468 set thread context of 5808	5468	S0FTWARE.exe	130
PID 7052 set thread context of 3384	7052	Updater.exe	211
PID 7052 set thread context of 6608	7052	Updater.exe	216

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6936	sc.exe
6980	sc.exe
6216	sc.exe
6340	sc.exe
6464	sc.exe
6336	sc.exe
6764	sc.exe
6688	sc.exe
6372	sc.exe
6488	sc.exe
6536	sc.exe
6648	sc.exe
6988	sc.exe
6596	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2452	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690642915625679"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{04327A03-20BE-4971-B5A2-3EA39E36DFDD}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
5576	msedge.exe
5576	msedge.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
6052	taskmgr.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
5588	msedge.exe
5588	msedge.exe
5808	BitLockerToGo.exe
5808	BitLockerToGo.exe
3940	msedge.exe
3940	msedge.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe
6052	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3480	1368	chrome.exe	84
PID 1368 wrote to memory of 3480	1368	chrome.exe	84
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 2216	1368	chrome.exe	85
PID 1368 wrote to memory of 4492	1368	chrome.exe	86
PID 1368 wrote to memory of 4492	1368	chrome.exe	86
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87
PID 1368 wrote to memory of 3944	1368	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download2356.mediafire.com/dmxj06qb521gNWiZ1GXZ_HVXNBBdL5jZMeIGU1TzcbbiROlvNARelnzRi0X7nQMZQKMcKrAX25Ld2ANtIWXGM0-oDQXdd2gSnfapkzpNIMm_2Vda-LPl3m6FgrltmlAc0af98EcYjII-smA-6qWOmUSVSyd49pT3jE3A4iAhjeKI/ok95x08drvy416d/S0FTWARE.rar
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe54e3cc40,0x7ffe54e3cc4c,0x7ffe54e3cc58
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1752,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2460 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4668,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3096,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3716,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3700 /prefetch:3
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=208,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:6556

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4924

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25154:78:7zEvent29367
1⤵
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultcfd9fad8hd009h47cah8130h459ba1322549
1⤵
PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe3eb246f8,0x7ffe3eb24708,0x7ffe3eb24718
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11065393022778408726,2131473727003321309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11065393022778408726,2131473727003321309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11065393022778408726,2131473727003321309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:5636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5844

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /6
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:6052

C:\Users\Admin\Downloads\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5468
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5808
- - C:\ProgramData\HIEHDHCFIJ.exe
    "C:\ProgramData\HIEHDHCFIJ.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:5592
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:6456
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6560
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:6464
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:6536
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:6596
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:6648
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:6688
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:6728
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:6736
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:6744
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:6752
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:6764
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:6936
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:6980
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:6988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AKKKFBGDHJKF" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:712
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?LinkId=129765
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3eb246f8,0x7ffe3eb24708,0x7ffe3eb24718
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:6984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:7144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:7132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:7112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:6368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:6988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:6532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:6732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6528 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:6400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:7052
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:7076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:6220
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6216
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6372
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6336
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:6340
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:6488
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:6496
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:6480
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:6452
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5160
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3384
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:6608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HIEHDHCFIJ.exe

Filesize
6.1MB

MD5
d1ef4cc12e52b676fb9ee02152a34092

SHA1
114218e9201a501179b6088b9e3ef333f429cfd6

SHA256
3df15bbb2034a98aaa3d709075d1b8947950eca17a26356836aa07bb13fb843d

SHA512
644ca61c898c7a4a384748d945edc006d43988804cf45c5aaada6433defc2b4424291d735d667eb57d0881ff373037c475708fef78d61b55154314a5d9ea8f52

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4727647a36bb35d181f5f5ba5e49a6b0

SHA1
ec18e6c258f84ca4acec587861393ffa70d6f5de

SHA256
e828b5c259b4a1caa620e30276fd5d405eecd004380b61a2c9c7a166576d3060

SHA512
c876e1676ab24501be6422f39e6e049cb873d9d9ce7edc293324da56da6ed4098fc5916f53944a8ce661ca847e16d501e23704066ba5c5b3b892f8fd145935f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
d2a14a7788b53f4cd4fc8f24f173321a

SHA1
8f67f4e6e7fed5e4fc5ec677d524c49081fb1430

SHA256
8bd3403303c3112b8b111a14f6755b49eaf7fd9cefaf17b2fbe50b0d7d7f730c

SHA512
bcc658063d2738fdbe6e8c9f202933ce0e43586de04aa44b3ddc35352ddeaa181babd8f615d59936fbbd69c83e96b4b1f608f3f5c0fc5a6075b8a1a30f6399b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d2697394e7406116f7890d7be66f673e

SHA1
aee36d82600cf0c081262aa9f98a6a3e12b9f455

SHA256
c9ed82eb3e0ec2d02dfd36355843a8f97f76faa6c40cb0c1816b35009692f37b

SHA512
35a703fa4bed32275bfb938e99c66d6ffaf67a886fc475feed93b854a1f58b5527cfdaba5d8a53574991e6b4946e9f1bb4d6a9b0a8e8897df4a440492d605469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
0b8e41cae303c802290117ada01bff91

SHA1
f09c96a5b4e4c89269d42e17ebb85d3fc7f1840f

SHA256
c690d2c41518b68c1ef6d0735ec99c9e5847d2d161bb470a911d11b8e56a4dcd

SHA512
363cd9a66f782cffd20e8e45b5d531fbebb9547dbbd09624d267850d8d2b3d350e83e914df772523574731c94a09b21dd967a5dc1e88a99641a303c8f8d95564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aba85dc1b72fdd3d4e2470843eb9c670

SHA1
18d4f5d4e23a3b920f9198b1ffe9a67cea74139b

SHA256
e04f5257a3f72a8b408cc4042c13d4ad2d608e1258c9669a062497d05ab766d8

SHA512
70be9ee69a5a5f3408edf1e21641aafce96fc4e86c560076315d47939908e672f84de59f5994fa25f27db7a535490d9ec8e5b91805a521b3aad743a5abae13f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d5148385f03b3ed5ca2b8dd14b36f85

SHA1
e8f5470d0bbaa0a7a76d6d1ec30058a6c7adcb33

SHA256
cd2c9de794d74b05a68cc9e3d201a51d3884e19d8a5dde1e37966e605f900b04

SHA512
ccafffd1005ee21ffaea05b384d010c530f7c0976088199850256905b0231f907dd8dd1be317c8e5372ef4f101a256a249865585b36a122bf337a1bb6e79fd55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6cea73acf6dce9900de018def5bd0862

SHA1
2be6a005d8698fb7abe681bfc0c7829cf07df201

SHA256
d9ce99ff250b37499d8854f6e6ae777666d79b322f50b181e55d40322ef5e570

SHA512
e15943b6307008dc9b1c150e42b3e9cca5ef50a4b3aaf895286c1e32a7c1f8f42663d02d4041bfb627cc48baaee803a56a1251a820c85c3304e906c453a4be95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f989a1df50e7945874e8be92bd97543

SHA1
c6f915e067d8e3b88e1cf60fcf670772cdc6d840

SHA256
e7fea67be23ea8f83aa942ec4d307b67356d99f7ac101011e9a0dad14ab3c359

SHA512
88e249c3166cb658bfd5e7fe16d88429ca6ec499403fbe9a4a111de0bfcd6fde570ef4311ec2db215eeaf61cec32619f42804d1201c0520e4979fa7b1a726dca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
034cdcfa176696ae3e32b37c200aafc9

SHA1
c2b340e1a13a4b587994827bd071c774787c2821

SHA256
951fdd9bd0bf4936cdeaa3cd3eeaa6c7d75087dcc09be31cbda212cfb505cbfe

SHA512
669159360f989819bbb9153b5ae88b161e646344afe9c6f81c0b0182c1e40b0f067c1803cca9bdbc47af03c1ff15c36c8195e2979e01106235b4e869d6bad5c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bb46e6ecacf90a832fbdead906399d48

SHA1
3250cad63c627a833f177414aeda6a164d089554

SHA256
e3eeb18264ffe1f6bf26304cea2a1ad35418ecc075a8d98e0937b94462718585

SHA512
bd5fdc9765ae6261256242abeb5d1467db5886fe6d8a7cb421eb50832fa839edb65258d106b6414975f475f22d0c3f274ca8cf4723af8dd82a68680f19fb0c2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cdb92da4daf0bfc2d9d3b37f100da53a

SHA1
ec2942ef73fb3edcd1e7bf5b1411a7e33910eb67

SHA256
2bd4efe98bebf24fdd240e67f463e1f820f0ae942ad8ca1957b2c2d1a155eea0

SHA512
b6a65ce9129025679dec88457ce6f64f7b37cb4cc407a51b27940194ee66e8c208f9f3738241daaa0f195d55b92b50e4f5c2c29de481a84894ef7ce6cbaa4499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4702482047778032bc0d4edeffa919b4

SHA1
65a1128fe02791f3f51bf9308a9cb1c8bb1325fd

SHA256
40929bc5c583c57c590808e32c4f02450b885d70459745e15ac67860d5db9b3c

SHA512
baab17133b50f6843f5a637466ad78e0d400f0761b90686c6d23ef0848e84aba6dc185410c43953643b127be28cb616f648ccd93094279976755d60c564493f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46c49a882ddffe6aa20e8879b598c446

SHA1
bd760bcf8057182fdb2072aaebf177b1e6d66850

SHA256
bca04e720852c68ac32bd282a209141e602197564d7ead84b24a2937cdd87c9e

SHA512
da257f019d703f96cd765cbb3307077e5cbfcc1bd356536bb786b09fd54be444b56b9dfd9de7ce67c7aa4b3ee20b130bf4cc94f5047fe6ec4efa65a623a12dd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c75a3bf9d957d049875d6607c29cdd4a

SHA1
3b45f8ce05cb89761cf71aff364b7342be34a03b

SHA256
a53c98d4737cce143e258cf85887a432a26c931954579e1ccff9c01c3f9cee98

SHA512
ad43ab2146d064ebc5289fbcab07bf32bde85c1e90e2ab6c04f2dfe823fceab577df3f401d22fac37d16104f55f0101a64606cfa8227864b302c2c0f5a3a2054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8eab22f5ba68a98dbff1a53400a8ff53

SHA1
11898cbe1c0052c72df8352d1af79b454265174f

SHA256
bb17cf1827886fc9e71677436f32cc2fcaa2f87ee9c69b2cfe6fe46c3be78bf5

SHA512
be59e05636920f407dc241a9fb35bc3025209bb949f3455a723f68cd72590d819b37139b445b60eaebd07d14ff3ef8b803dbea8eb1a61dec9bce94401b89faec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
fd332ca485a474deba028eb804d5604f

SHA1
6d30a1a8727b8865f3a8238e361a7e6ab3f8cf56

SHA256
d2609a41f6164fa964e9c9380aa7ab04c76ba6c17f2b237d178164cc515d748e

SHA512
810e3f3c2ef0a6dc4d85f6704bd2460914207664490d67af0c5526ef28419f6c4ce5fdcf2768117a54f71a0e711c1cd37442ad16bebf4400cb97720c73275d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
bdc4e59c8e07a4057f6497daebc27705

SHA1
85d1ee1a7e22f7402ad6c4fdc058661fbd75718a

SHA256
13e5fc370857831ede070998c15837f33dda2bbfdde09d0095afc14eda0d5822

SHA512
9fe7295b392c0d836f4be95c38895705961724fab5934a425208159c6a97acaefd848c65e2e2bd646c0aa94585174ed3492d383d9af04e89237ce2b28d63c4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
57ce7118cb0beed6973e62b94dbda4b5

SHA1
a9876806f2adee0fa6200e79a871ae3637a652be

SHA256
19e72be36bf08db3025ba96c0ea7c3d571ab2db5519cb93e3685dbcf747e389b

SHA512
2217be5ab6d03f253c81299aef99d3c1900ada8037e4a74e8e1df1e4b238fd59dd1ba8cad14435ecf15c06a18eeca6981e75890089804d679558856fe4f7976f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7a3a25c6-3127-445a-9e30-b2b3f95a9651.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cf59e9d5f01cc5022e14796c2e6ec137

SHA1
c918590d7809e4c50de4c7b72d4145f72d08e1e9

SHA256
cc54bb509cd29bfe9557f301ff22656c565e4be99ba7a9b16f0aab9d10e04954

SHA512
37cddcea68598c39bc9b21e644b660f18a686fdddc8f6fd44254baa3240b8e0a238d34eec25b8d5a41fba1eaf9336fbd9b0d25eaa005544283230b87dba20db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
3f31b8ebc4033f84abc4e514793b6218

SHA1
57825df15355bebd2a02ee250dfc4a2877aa3e0d

SHA256
21ba58155daf26f40d6324b623c8533ede8cb9b667518c7fb63d69c1cbfb1909

SHA512
f5f05406e2cffeba395a1f1562ca96dc97c19271a81279f15bac73f20a6ac3eacec7b7483b41c7da59da7f1df79d8b1794b4617c30901229618d1517959e2458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
3ea525d8c5d17b1de5530aaf8e779413

SHA1
1be1b7a7d27d7e7066889ecbd90d4f97d56cca68

SHA256
8d9a212164eb37ae16202be8e7a45e0a3193e744425220f1afe00c559cc0ba20

SHA512
cbe683691ddb20a32459681b7baf76867ff02a1c3014cfdebbd25fe441ec17e07f4a33862c63da72f4d83516c41c569a2f53ba1ccdd5eabc51eef2ddb869229e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
118f7a97642b3e6d5618b4e03e4bf737

SHA1
0c25bf91365a772127ff129a2383d25e3d6370e5

SHA256
ec365cdc2ae9855d9b7625fcedc47bcd2b501bcac143c9c67a29e46c6e16e036

SHA512
81751b97e621b02d4b79f398862ce679c77ccb5834bd46178d9e531d2bca26729526a11540ebd75dab8c3105a2568edd1ec4948e7754076b2b8978eb999d69bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ff55695fdb8a4486c444b3e7cdac718

SHA1
ccd30133afff850bac3247b2e715fbae286e3ca5

SHA256
da9d56a393fe088d5c170665085d85c9496e6885110cd436d99e7fbda30db49a

SHA512
734efe5ddb95951b1fe3292130dc8aae9cce88ab85a5adf2f7f56e6c4fb861071e163b68d3f625ee38e54fa859e5afdbefd58e30b5700732378f3ed08314a35b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b87abfade3173e363976105cbdff8098

SHA1
6bf932b4908a9bbb4fa422c1156dec8e94b0bb76

SHA256
af9392ee0a4ebf96b610bedfabafe1d8f5d8a3f41a69694f0177b3aa893992f8

SHA512
bb75ce501a514db7d72ebb345d6e563efa7804cee5c1028f047d0fe4af4a42859bd963f3798f05aef674cf5c3ba6fcc8493e320911f06d18189011848bd4ef22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b6dbcccd2ac90cf5b628c22972ae13e

SHA1
98d136ba7dc7236afdbf8db0c0b16f78d983c6ca

SHA256
ad156d8889813148b250c99c5bc80f9aed399c6ebd6859ba662932c98d0519e9

SHA512
db8048b5a13063b62597a79b2e63da110ecc8ff055ef2dfb7d7c3af1179165c1e102d9aad87403227e8e5436063c28c62d1da2868974108a727e271e238af0ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3ae0f9cfca23887a6b2b789809ae9b6b

SHA1
248d73068dc74d98e1c926ccd86ceae34d135c82

SHA256
6e2ec2b0c1b2cd8733f6e6226695534ca7663db9896c5e126aaa0ed8cccc70c6

SHA512
2814801df0a2118a4c2747d308e1c22cd25ba8721bef620e56e3a4371aafd622b3124a4423f4265b386fbecc8ec6cde8bda30dc7d450100b47d8bb0de641fb3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
76347d4f01247041d4253f023993db81

SHA1
6a1b5cbddedf3a28b32dc9e808877ca32acbc1f4

SHA256
e89c1f5400335bcff9dbb1cdb301f47ca47b3e896f6b5a04b0db5d68ee8a6584

SHA512
c62e77bdf6df98e32da33fc78d5a2f65e526fa616e3d89f20e7e221c2d187554d7b1accad45509df35970e95621207f26f83bae60bd21a32c1aecee0946c1690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
62b45ab0b51216de82f2e9a6ef7a399b

SHA1
83677c8179bb4e4bec57be4090b95a48de929670

SHA256
323d6b06037917e06cc47e5eb95024d0736fc142ca3ffcfc90443f755900ff73

SHA512
c6183f55848a2c31c52dc78dcdd1b8db01f2ab5bd5a9ecd43e6e8bee014c62d8082ffa67578a8b8b09988660a384e2f11dacb0c3aec988e69ce7a8fe3b919517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
60077c4716d506180a77f4e126da1a6b

SHA1
088bd8f8f323f85a5a14476ead85d6e9e14a9459

SHA256
7aa82e8b348286bdf75c96cfaeeae427bc226d4ea0f87acae7358dbdc29602d7

SHA512
fa4ed40aacaf143d5e1370fc5af440390229fbf6b3c412b5505a58833a26aa6d1f686bd6dc3234252b0962490973135ce1d914b4e44f9c2e357e800d38dfcf81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
63dff95452abc93279c5ea146e328a0a

SHA1
9e5c5bd0bc73d395df74c1216ea7ceb424e4a533

SHA256
d1e5ce3fba4da81e9b87f76f67b34d421ab38940dfee33238af997ec3ce9e7d6

SHA512
1a698a70da76d848746f6af5363777c52070a392868c0904858f248ba9d69c2ef376237d58e5b2ada7928a671b40208cebd9e9ef5449427da8f5320c30eeaae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8f44cc51c1ec8e06632fb5e6c63b57a

SHA1
c4946ec563170f1b5a45737e08c2863680a0fc77

SHA256
a18315a127bdc70c30de74c722f0bb526b810e5f2a49862c8a7643d1ced82a61

SHA512
781a035181496fa1a50aca2caa388926fb41c1deee0a64b67c70ce978b59fe176bca037c690989adb00ad6e92e390d83b8afba2cd5c53bfc19c78fb29791da5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5941b2.TMP

Filesize
1KB

MD5
3a70b69d17f3ccc261171d8cfb631707

SHA1
bc72cb5e3e3df32267f2d27d53219fa9d7808abe

SHA256
3b292cf4c5659a672ab5a069e2226ffee8f4db65c695dd721c4a09b30f996b0e

SHA512
5b35f6038bf26fe7d7acc369dfbd4e52a5525bfbd3494e0050d47d4a4f77f9672ac5358246c26ba3964cfd73b4d573e8558d7a67daf0d93288941ca669f62705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d7c46851dd5e22e2f7eafa542c9ce124

SHA1
9178465e0400c6abf59e4b1e95fd730065a8b3ae

SHA256
b33727e954b6093bf93ea5b0c74711bf21d15d5ccfa074bcd719484ae1ddceff

SHA512
961994d47e7db13107bcbb530089a4fa9602113a0236d2864ef87c1174aab8ddddf306e45e30198ce1900157f173863a6de9e08e5fab0d506a7e2b69f8ea91a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7605dd4f72a13959064ad4a0f3fde51a

SHA1
0a64577c5072edb9492ff9451ffe4aed1e2c1764

SHA256
cdd453e302a202a12f5fca4894076aa91a59e7ea359e2bb3bd30f6818dfeb303

SHA512
95b46c068a37a16c677e7badfa26deb946a9f1fe3e8d179c9b8a3ae54d4c34a4df2ac47c789397614b80062c1eed0f45fa0daefb15062fda90c54a863d3f502d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
893907bf5d56562e8403eccd67d2ac71

SHA1
3d7639eca1536e80318d807b25acf9cb3f2115f4

SHA256
078745b8cdf49ddab6818dcf561586799afc142c0ce988cb67ecd171a82df4d1

SHA512
16f62bf980cf62c8e78f2f8c309703a068a89d6e525b2bbff6693efd837603a7493772a56bd7d7341be74a545ca6d616f1d428be1214cb11df90a7d1764542dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b57609aafe951c9ef7823d987c59613

SHA1
d4747240be9743d687c7713067fbdf2be5ddfd34

SHA256
a920e687f821a1824fd146010fdb4a19fc83c19c11149006f4a5d02e172d5fc1

SHA512
145d1b10f86d42ed6796c46a21ef8e3d1aeb1021adcc4d88033720b5d5fdcbfb2256790c72fed3d66f09bc07c75014a5da034a3085110d9eacd953215fbd5aeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmbifwyk.v51.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\S0FTWARE.exe

Filesize
10.7MB

MD5
4ffe9c1e2820ea8e4846c2bc8c857b62

SHA1
ac7ac2d1ce9576d916d53ef34b42ba9d0c61a65b

SHA256
8aeef059e768a162a02a00770b4eabe9c4b25549dea4761afb372ccd75d80e2b

SHA512
2d289c4fbbffdcc1e02b2c76c3b955efbfea7ff6e9e628125fd4f7817656a0a763d74771014ae090319360d2dee6107881b67926667eb25d4b3cbfca0383b433

Download Submit
C:\Users\Admin\Downloads\S0FTWARE.rar

Filesize
19.8MB

MD5
28a705bf9211140ae303c74ff3ec2167

SHA1
63cbc21e86aff821a36580e436ce8b31e9cf76bb

SHA256
ddbf4da6374d9db20333495cbc7a3e5491ac76f9a82a20791b5699c9bc835a84

SHA512
14118ecc11d03c3714a8ee84dde215d70834bdab119fadeab2246438e7d22bc20117b08bf766b5efc1ed1d41123d6ded6741d0caf8773da16010841544de4468

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/3384-785-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3384-784-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3384-783-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3384-782-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3384-781-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3384-788-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5592-676-0x00007FF65F800000-0x00007FF6603D7000-memory.dmp

Filesize
11.8MB

Download
memory/5808-489-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-441-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-515-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-414-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-549-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-415-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-490-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-559-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-440-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-472-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-443-0x000000001F5E0000-0x000000001F83F000-memory.dmp

Filesize
2.4MB

Download
memory/5808-514-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-419-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-471-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-467-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/5808-460-0x0000000000660000-0x00000000008A1000-memory.dmp

Filesize
2.3MB

Download
memory/6052-408-0x0000016AA1900000-0x0000016AA1901000-memory.dmp

Filesize
4KB

Download
memory/6052-398-0x0000016AA1900000-0x0000016AA1901000-memory.dmp

Filesize
4KB

Download
memory/6052-399-0x0000016AA1900000-0x0000016AA1901000-memory.dmp

Filesize
4KB

Download
memory/6052-409-0x0000016AA1900000-0x0000016AA1901000-memory.dmp

Filesize
4KB

Download
memory/6052-400-0x0000016AA1900000-0x0000016AA1901000-memory.dmp

Filesize
4KB

Download
memory/6052-406-0x0000016AA1900000-0x0000016AA1901000-memory.dmp

Filesize
4KB

Download
memory/6052-407-0x0000016AA1900000-0x0000016AA1901000-memory.dmp

Filesize
4KB

Download
memory/6052-404-0x0000016AA1900000-0x0000016AA1901000-memory.dmp

Filesize
4KB

Download
memory/6052-410-0x0000016AA1900000-0x0000016AA1901000-memory.dmp

Filesize
4KB

Download
memory/6052-405-0x0000016AA1900000-0x0000016AA1901000-memory.dmp

Filesize
4KB

Download
memory/6272-734-0x000001D258BC0000-0x000001D258BE2000-memory.dmp

Filesize
136KB

Download
memory/6272-737-0x000001D258A40000-0x000001D258A88000-memory.dmp

Filesize
288KB

Download
memory/6608-796-0x00000000008F0000-0x0000000000910000-memory.dmp

Filesize
128KB

Download
memory/6608-792-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-799-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-800-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-797-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-795-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-793-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-798-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-791-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-789-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-790-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-794-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6608-801-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/7052-742-0x00007FF643000000-0x00007FF643BD7000-memory.dmp

Filesize
11.8MB

Download
memory/7076-778-0x0000025BFB7E0000-0x0000025BFB828000-memory.dmp

Filesize
288KB

Download
memory/7076-773-0x0000025BFBDC0000-0x0000025BFBDC8000-memory.dmp

Filesize
32KB

Download
memory/7076-772-0x0000025BFBE00000-0x0000025BFBE1A000-memory.dmp

Filesize
104KB

Download
memory/7076-771-0x0000025BFB950000-0x0000025BFB95A000-memory.dmp

Filesize
40KB

Download
memory/7076-766-0x0000025BFBDE0000-0x0000025BFBDFC000-memory.dmp

Filesize
112KB

Download
memory/7076-765-0x0000025BFB940000-0x0000025BFB94A000-memory.dmp

Filesize
40KB

Download
memory/7076-764-0x0000025BFBBC0000-0x0000025BFBC75000-memory.dmp

Filesize
724KB

Download
memory/7076-763-0x0000025BFBBA0000-0x0000025BFBBBC000-memory.dmp

Filesize
112KB

Download
memory/7076-774-0x0000025BFBDD0000-0x0000025BFBDD6000-memory.dmp

Filesize
24KB

Download
memory/7076-775-0x0000025BFBE20000-0x0000025BFBE2A000-memory.dmp

Filesize
40KB

Download