2937de2eb7763851d644e637cb7d7375fd69b218beeaceedc46254ac388203c7

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdm_x64_setup.exe
Size

38.5MB
MD5

dded481da831784a00d556a1280c124c
SHA1

48b40f82f66dd678f1c2f4c1298eaae2875f75e6
SHA256

2937de2eb7763851d644e637cb7d7375fd69b218beeaceedc46254ac388203c7
SHA512

78dd1b42e918e9670edaaecd1765fb26e349ab7a5bc7b4dc3b85bd387f073a8ac0a4abc6b8a50d5b3cc6cce753cc8745b26bd47b42953723b21b949e7956cbcd
SSDEEP

786432:jketduUzNdogfpTmDvwLIDH8StVQFkatYPexssk:jkiuUtpTmDvwE78+IHUe

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

6028 netsh.exe
3044 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

fdm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation fdm.exe
Executes dropped EXE 8 IoCs

Processes:

fdm_x64_setup.tmphelperservice.exefdm.exeimportwizard.exefdm5rhwin.exefdm5rhwin.exefdm.exeimportwizard.exe

pid process

2960 fdm_x64_setup.tmp
5748 helperservice.exe
5792 fdm.exe
5316 importwizard.exe
5788 fdm5rhwin.exe
6004 fdm5rhwin.exe
5784 fdm.exe
2128 importwizard.exe

pid	process
6028	netsh.exe
3044	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	fdm.exe

Loads dropped DLL 64 IoCs

Processes:

fdm.exehelperservice.exeimportwizard.exe

pid	process
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5748	helperservice.exe
5748	helperservice.exe
5748	helperservice.exe
5748	helperservice.exe
5748	helperservice.exe
5748	helperservice.exe
5748	helperservice.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5792	fdm.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe
5316	importwizard.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fdm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Download Manager = "\"C:\\Program Files\\Softdeluxe\\Free Download Manager\\fdm.exe\" --hidden"	fdm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

fdm.exe

description ioc process

File opened (read-only) \??\F: fdm.exe
File opened (read-only) \??\D: fdm.exe

description	ioc	process
File opened (read-only)	\??\F:	fdm.exe
File opened (read-only)	\??\D:	fdm.exe

Drops file in Program Files directory 64 IoCs

Processes:

fdm_x64_setup.tmp

description	ioc	process
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\Qt5Compat\GraphicalEffects\is-BQL5D.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Basic\is-1E40O.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-K131P.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Universal\is-LLNSS.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Windows\is-QFNGF.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\sqldrivers\is-A1T4C.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-3436L.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-FNV5H.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-CHRJG.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\impl\is-RBQ3V.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-15JPC.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-5JCI5.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Universal\is-1MUJB.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-OQLU6.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\generic\is-TGSM0.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\Qt5Compat\GraphicalEffects\is-9DFQ7.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-2CQ4K.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-NLQGS.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-HCPQH.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-GE8HA.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\Qt5Compat\GraphicalEffects\private\is-D67O5.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-NC38D.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-4PJ9P.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Dialogs\quickimpl\qml\+Imagine\is-HC9CI.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qmltooling\is-EKACI.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\torrents\is-DECK0.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\Qt5Compat\GraphicalEffects\is-PQNKV.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\Qt5Compat\GraphicalEffects\is-PCML5.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-I9F44.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-NO3CK.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-T0LD8.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-OEOMQ.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Universal\is-MDODO.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\main\is-Q343H.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\is-DUL0E.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\impl\is-86NN0.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-LPGVC.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-AOUE5.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-B4UGD.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-M94JE.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Universal\is-50QDV.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Basic\is-OTLDL.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Basic\is-QS8JO.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-O6ERF.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-6GI3B.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-339JJ.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\Qt5Compat\GraphicalEffects\is-A7RDI.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-9VV9P.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\torrents\is-R69BA.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\sqldrivers\is-4EJOH.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-7EOQ0.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-TQEGN.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\impl\is-NTFA5.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\impl\is-AFC4N.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Dialogs\quickimpl\is-R2D14.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Dialogs\quickimpl\qml\+Fusion\is-E3CRT.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Dialogs\quickimpl\qml\+Imagine\is-DJSTM.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-F5QJG.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-D3G63.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Dialogs\quickimpl\qml\+Universal\is-I3SCI.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\torrents\is-2327N.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-4MCVF.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-U9R84.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-40DK5.tmp	fdm_x64_setup.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
C:\Program Files\Softdeluxe\Free Download Manager\libcrypto-3-x64.dll	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RdrCEF.exeRdrCEF.exeRdrCEF.exefdm_x64_setup.exeRdrCEF.exeRdrCEF.exefdm_x64_setup.tmpAcroRd32.exeRdrCEF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdm_x64_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdm_x64_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

fdm_x64_setup.tmpAcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING	fdm_x64_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fdm.exe = "11000"	fdm_x64_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fdm.exe = "11000"	fdm_x64_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\fdm.exe = "1"	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\fdm.exe = "1"	fdm_x64_setup.tmp

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133695162603193695"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 19 IoCs

Processes:

fdm.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\URL Protocol	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\DefaultIcon\ = "\"C:\\Program Files\\Softdeluxe\\Free Download Manager\\fdm.exe\", 1"	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\shell\	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\shell\open\command\	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\{17FF5AC0-1D17-4A53-A10F-85E3EFA3DF17}\	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\{17FF5AC0-1D17-4A53-A10F-85E3EFA3DF17}\icon	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\shell\ = "open"	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\shell\open	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\shell\open\command	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\ = "URL:fdm link"	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\Content Type	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\shell	fdm.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{332010D3-F1E7-4CC5-AFF3-6D765FA8D4F4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\{17FF5AC0-1D17-4A53-A10F-85E3EFA3DF17}	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\{17FF5AC0-1D17-4A53-A10F-85E3EFA3DF17}\command	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\DefaultIcon\	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\fdm\shell\open\command\ = "\"C:\\Program Files\\Softdeluxe\\Free Download Manager\\fdm.exe\" \"%1\""	fdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

5612 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

fdm.exefdm.exevlc.exevlc.exe

pid process

5792 fdm.exe
5784 fdm.exe
4380 vlc.exe
5960 vlc.exe

pid	process
5612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

chrome.exefdm5rhwin.exefdm5rhwin.exeAcroRd32.exe

pid	process
464	chrome.exe
464	chrome.exe
5788	fdm5rhwin.exe
5788	fdm5rhwin.exe
6004	fdm5rhwin.exe
6004	fdm5rhwin.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

vlc.exevlc.exe

pid process

4380 vlc.exe
5960 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

464 chrome.exe
464 chrome.exe
464 chrome.exe
464 chrome.exe

pid	process
4380	vlc.exe
5960	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exefdm.exe

description	pid	process
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeIncreaseQuotaPrivilege	5792	fdm.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

fdm_x64_setup.tmpchrome.exefdm.exevlc.exevlc.exe

pid	process
2960	fdm_x64_setup.tmp
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
5784	fdm.exe
5784	fdm.exe
5784	fdm.exe
5784	fdm.exe
5784	fdm.exe
5784	fdm.exe
5784	fdm.exe
464	chrome.exe
4380	vlc.exe
4380	vlc.exe
4380	vlc.exe
4380	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe

Suspicious use of SendNotifyMessage 46 IoCs

Processes:

chrome.exefdm.exevlc.exevlc.exe

pid	process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
5784	fdm.exe
5784	fdm.exe
5784	fdm.exe
5784	fdm.exe
5784	fdm.exe
5784	fdm.exe
4380	vlc.exe
4380	vlc.exe
4380	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe
5960	vlc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

fdm.exevlc.exevlc.exeAcroRd32.exe

pid process

5784 fdm.exe
4380 vlc.exe
5960 vlc.exe
2680 AcroRd32.exe
2680 AcroRd32.exe
2680 AcroRd32.exe
2680 AcroRd32.exe
2680 AcroRd32.exe

pid	process
5784	fdm.exe
4380	vlc.exe
5960	vlc.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fdm_x64_setup.exefdm_x64_setup.tmpchrome.exe

description	pid	process	target process
PID 4812 wrote to memory of 2960	4812	fdm_x64_setup.exe	fdm_x64_setup.tmp
PID 4812 wrote to memory of 2960	4812	fdm_x64_setup.exe	fdm_x64_setup.tmp
PID 4812 wrote to memory of 2960	4812	fdm_x64_setup.exe	fdm_x64_setup.tmp
PID 2960 wrote to memory of 404	2960	fdm_x64_setup.tmp	schtasks.exe
PID 2960 wrote to memory of 404	2960	fdm_x64_setup.tmp	schtasks.exe
PID 464 wrote to memory of 2748	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2748	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2008	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 3300	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 3300	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4268	464	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fdm_x64_setup.exe
"C:\Users\Admin\AppData\Local\Temp\fdm_x64_setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812

C:\Users\Admin\AppData\Local\Temp\is-69RDP.tmp\fdm_x64_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-69RDP.tmp\fdm_x64_setup.tmp" /SL5="$B0288,39406194,832512,C:\Users\Admin\AppData\Local\Temp\fdm_x64_setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /end /tn FreeDownloadManagerHelperService
3⤵
PID:404

C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /RU SYSTEM /tn FreeDownloadManagerHelperService /f /xml "C:\Program Files\Softdeluxe\Free Download Manager\service.xml"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5612

C:\Windows\system32\schtasks.exe
"schtasks.exe" /change /tn FreeDownloadManagerHelperService /tr "\"C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe"\"
3⤵
PID:5704

C:\Windows\system32\schtasks.exe
"schtasks.exe" /run /tn FreeDownloadManagerHelperService
3⤵
PID:5736

C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe
"C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" --install
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:5792

C:\Program Files\Softdeluxe\Free Download Manager\importwizard.exe
"C:\Program Files\Softdeluxe\Free Download Manager\importwizard" 3FE02402165644D986B63DE6638495E4
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.freedownloadmanager.org/afterinstall.html?os=windows&osversion=10.0&osarchitecture=x86_64&architecture=x86_64&version=6.24.0.5818&uuid=61b8c907-4be7-4c1a-bdab-b47b5fe9cd0f&locale=en_US&ac=1&au=1
4⤵
PID:5740

C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe
"C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe" 21907CB0205CFF989F82C03684A01B86 phase1
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5788

C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe
"C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe" 21907CB0205CFF989F82C03684A01B86 phase2
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6004

C:\Windows\system32\netsh.exe
"netsh.exe" firewall add allowedprogram program="C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" name="Free Download Manager" ENABLE scope=ALL profile=ALL
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6028

C:\Windows\system32\netsh.exe
"netsh.exe" firewall add allowedprogram program="C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" name="Free Download Manager" ENABLE scope=ALL profile=CURRENT
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3044

C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe
"C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" --byinstaller
3⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5784

C:\Program Files\Softdeluxe\Free Download Manager\importwizard.exe
"C:\Program Files\Softdeluxe\Free Download Manager\importwizard" 3FE02402165644D986B63DE6638495E4 --printFdm5Setting=ExpectingUpdateToVersion
4⤵
- Executes dropped EXE
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0x78,0x124,0x7ffa245bcc40,0x7ffa245bcc4c,0x7ffa245bcc58
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,2962459958401772868,11295538349030465893,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1884 /prefetch:2
2⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2012,i,2962459958401772868,11295538349030465893,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2100 /prefetch:3
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,2962459958401772868,11295538349030465893,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2392 /prefetch:8
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,2962459958401772868,11295538349030465893,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,2962459958401772868,11295538349030465893,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3212 /prefetch:1
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,2962459958401772868,11295538349030465893,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4532 /prefetch:1
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,2962459958401772868,11295538349030465893,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4872 /prefetch:8
2⤵
PID:5940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,2962459958401772868,11295538349030465893,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4884,i,2962459958401772868,11295538349030465893,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3908 /prefetch:1
2⤵
PID:5544

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5976

C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe
"C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3888,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4772 /prefetch:1
1⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=1044,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:1
1⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5432,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:8
1⤵
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5440,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:8
1⤵
PID:6020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6132,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:8
1⤵
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffa1f0bd198,0x7ffa1f0bd1a4,0x7ffa1f0bd1b0
2⤵
PID:5992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2292,i,3255458992367685053,6078963016346577181,262144 --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:2
2⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1816,i,3255458992367685053,6078963016346577181,262144 --variations-seed-version --mojo-platform-channel-handle=2324 /prefetch:3
2⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2336,i,3255458992367685053,6078963016346577181,262144 --variations-seed-version --mojo-platform-channel-handle=2688 /prefetch:8
2⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4548,i,3255458992367685053,6078963016346577181,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4548,i,3255458992367685053,6078963016346577181,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=560,i,3255458992367685053,6078963016346577181,262144 --variations-seed-version --mojo-platform-channel-handle=4908 /prefetch:8
2⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4896,i,3255458992367685053,6078963016346577181,262144 --variations-seed-version --mojo-platform-channel-handle=4912 /prefetch:8
2⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3524,i,3255458992367685053,6078963016346577181,262144 --variations-seed-version --mojo-platform-channel-handle=4908 /prefetch:8
2⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
PID:5164

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RestartSelect.wpl"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ReadSuspend.AAC"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5960

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- System Location Discovery: System Language Discovery
PID:512

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E0B24F367360E7C20F63EB2813865370 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- System Location Discovery: System Language Discovery
PID:4692

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=75BF62DCC9D94760AF67C0027D7585D0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=75BF62DCC9D94760AF67C0027D7585D0 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
3⤵
- System Location Discovery: System Language Discovery
PID:1636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F30ED974AFB11598C07E2C992183041C --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- System Location Discovery: System Language Discovery
PID:3852

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9E6EC29C85E79334F6D1228D48571B0D --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- System Location Discovery: System Language Discovery
PID:4724

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=514E582DB1CD1F33774B242D83218AF4 --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- System Location Discovery: System Language Discovery
PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Softdeluxe\Free Download Manager\Qt6Core.dll
Filesize
6.0MB

MD5
46a0dbd38cb28d8e79c80c9a033f6ae9

SHA1
1be5f3e78485f9b08e32346f13155a94001de50e

SHA256
225bd38093416c825f2e3220213f64e1079e9ab20f4738decc0fc6eb992e8a9e

SHA512
3fb62bce7b1d5129237914269aa3dd9a24f9e797927f2f4f937a0a291d357a40ec51b9c829094dc0bae1edcd6c580f1c9a03ca2c84d5526599c3608246f00bd0

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Core5Compat.dll
Filesize
851KB

MD5
e50b9b3fa16362c86a40e6255c6b45e7

SHA1
fa8ce8fd6d4415abdb67597735575dc83a8fc634

SHA256
c95ab3df8dc0bfd92925b7b8b51bce859ae09008691874a5c6f5630969557564

SHA512
03a8ac0ae14e8420dd9fd91bc1619d072882d152127b3f2f1c6f7e670b7c54c524490e7c84a7cd0b76e2db413439a1ca55c4e03416fd6beb47b1067c3e960cba

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Gui.dll
Filesize
8.5MB

MD5
7875aad0d0d426e9d1b132a35266de32

SHA1
8b7656e3412ae546153d2d3df91a6ff506d64749

SHA256
fc2464f62d7915ddeaebb5490bee6d60e7b42ad5a223d5812f0993c27c35be19

SHA512
9fa16c5c628f2e9b242323aed4c1aa70f093cee9f341ac61640287ff9be8663658f502769e037a8409943d3c9ab826bb1c6f88532f0fbacdaea28b2353cdfba9

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Multimedia.dll
Filesize
833KB

MD5
e8fa5ba349752d18f6302434658229f4

SHA1
1e7696e1ae887734f017e7c4e521ff648e090508

SHA256
7b2aaffd8bd1b042d1d028b071d4fbb42420f52d04f45de06c4a80315b9f1b29

SHA512
771a41622b045724604568c18e5df00f99b3da3fa67d25f5a60024db34b01b7b70cd0aa9bb39c53cab4eef7a6059e5855fb205e83d131580626a4b43505bf621

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Network.dll
Filesize
1.4MB

MD5
960f50470059381c65833145036fef29

SHA1
270e230bfc9248e5ecff9ea8dfbc5f1066df02ee

SHA256
1071f4f88c65317401bf93a2ffb55e661adcbb84f05911879ab21a6656521a68

SHA512
cb0a0d63aaae1b9646dad722759b1c53b36ed13a4231a30b054f6124bcc69e7285c5777ab6bbbb8296756d6c31fc94e735db42c5155db35274e0ec25c1406582

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6OpenGL.dll
Filesize
1.9MB

MD5
2a2a628e23cada5d2eba63dee642438e

SHA1
73cbc92073eaedde3f2fc432edda0677e7a49c9d

SHA256
054b0a8d87fc735aa2eb281e5078f8d28bd1c395b7e32de13ef64a8bbc10bb04

SHA512
ca87b5e95ba9c3b1268b14a6587305ea52512224e9ba48e73e64b292713df295e9d64587f446fd28f0e2788d7cb78ca460d962f06cf43ccde53fe45ae65cbe90

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Qml.dll
Filesize
4.8MB

MD5
6404ca802e99e8520d6229982e382cf0

SHA1
204e0446b4989ef2df2c71a4ef7482240039da45

SHA256
477747d49a8b7f51c408fe7a49cc3dcfa99078040d3059c5586c77d9b04d1a0d

SHA512
90998283c98eb7002cb0342b664a9f03902a6ee8141781ab03f723fddfb925d0a0e450e3c89589eebec41b95f1e73ec298808857151782b3c00b6c3fecf17df0

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6QmlModels.dll
Filesize
708KB

MD5
623c7740fc301a398c40dc9504d04fd6

SHA1
fb0e711c49c2ff488c7d3be9daebe2779bd42157

SHA256
4ae023a87636f5c70c08dbd787e47eecfa0ac15ff741677db323d70bd70a36a1

SHA512
2343081e57448e3922eeb86bcedb861ed8fde1dc51ab0e42e7930cf07834e9fcfe41a9b1d64a89341037abee421d242d4ece91dec8a8b26a0a552989e130fc34

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Quick.dll
Filesize
5.3MB

MD5
e739a7f0e54081125d1381a42eb7c226

SHA1
20ef3724f878bfe7773e006c29de3ff4e6e8a8c3

SHA256
35e8842051211a1654d6717b8786357e7a93b21a004f941151e7a4af23e16a84

SHA512
fde9db1793eec6fe1a0818af1b24c8399c941280982bbbb456332aa2768d0950da0caa7bd21e1cbbe81770358cdcdd3a6b199c71df1432170506dadc718d88e1

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6QuickControls2.dll
Filesize
87KB

MD5
8641967f2caf274abb1be307cc70204f

SHA1
08dea9d79289dc90dc75554baf0dce8eb7c53023

SHA256
7065885b1374f55ade04621b52b5ddf6d6e24cb6d57d89d2a1c5cd6bb0d1dede

SHA512
a8cee79efcb002aa2eef263ed0492a212b017375577f42de13322a8f8ba9f942fae2b8658fd7468a7a7bf1a19192013fb092efdf7695b8ca7d291990157154f6

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6QuickTemplates2.dll
Filesize
1.7MB

MD5
f5b138ab4c0ec16233fa6a9d15d9721d

SHA1
c927058d73c57bf34dd37ffc4c899945f38556c1

SHA256
000013ac37fb5f210fde72ee1d4b175dec38c45d6615d306e62431753b0d03fd

SHA512
40d6becc960d3133c326cce9b7caf1a0d5473605b3c30e935befe60a027f5f3fe5647d3d906a88eab8b347c697758c5a8789949f25bac4ffce3eb2112ba34b90

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Sql.dll
Filesize
291KB

MD5
04b54b342a7f3b56fe9b327cd3fffa86

SHA1
257cbc011eb1c1acb4121a1dbde801411fb3691b

SHA256
cec14ed64352d5c6e1e043d716cbd2d4575ddfff2e48633c6e6fa2670895ee59

SHA512
493003fa6b37c723ea08b0749348ca96fa0939a384ac452737947eb98195f1c1c78b9fd7c7220d0938cb526afc300232c0e52720d54919ceb05c311d6ed3b62f

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Widgets.dll
Filesize
6.2MB

MD5
34abb42b63e71b09b72b48cf5b1dba53

SHA1
9f3111aab57a5f28a4ce9bf82ea208fa3eadb9a6

SHA256
c71e65b882a84f47114590784a256f14ba19202ec30b218ce4841b2c7256060b

SHA512
06acab5a04a5d3e6834ddc95229758d4adc7a7f0ef003c80e8d59a8241e295b196aceacce20c88879e1676405a2538d032ec6ac543258538e686878fb29f77f1

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\downloadsjsp.dll
Filesize
111KB

MD5
ac0838c665b3741666667e37e9063bab

SHA1
0d6f7377aa10b53727b1bc1126b17b7b8c766509

SHA256
98867ba613760d132096bc835d0704dde75143dcf5545fffdb452c31fc8adb00

SHA512
4d535c928703b0bdfaf5569ea2c8cbc848123225fe6b53fe64db6a71ace06d392093500e1fd3673542adf86c569e7ee8044b812428387e1babb5ed74f6e2530e

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\downloadsms.dll
Filesize
623KB

MD5
cbbb8b877d4e4abc1cc5f7c87e52e4a3

SHA1
e0fbd3bfcbcfe1e9f85e9a03b5411b75cea5d206

SHA256
31a9512311013764320feba14e1d849dfc7bc0a689cadf5806a90043945128e5

SHA512
c201faefa7fb6fa5eaeb119da7f502951efc3251ad5a76eac1bd139379aa4b6da4f9e73bd0fc8dd0486f4973c9ccf21da401e01839f1a70032ff01bcf754e08d

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe
Filesize
7.1MB

MD5
b6eb17081c138903a98f4daddc5356ec

SHA1
95338c82ca76629178c342fabbcaf9fe8ad707cc

SHA256
88553acc42f9e638fe19771e0cb2badbe28f569583195d9306c8a8ef6343e297

SHA512
ef9242cd41585318d5daa47ac8cffc956672549f4ce9238db6227fa64ce800a7b64a25cd7b7175e3b1769f29fbc37e4b18c28375159eaa3bf294c1a48588e01d

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe
Filesize
136KB

MD5
bdd8417b62e8c1dd4352d654b1c0b887

SHA1
a4ca880967460b692351efdbf2e94438fb6f2630

SHA256
3f58d018ad24f506873b6e4eacae6e19585849e7d6638e72b585cff9a750ebf7

SHA512
9e2782c8543583b9f171e4aefd1685f32a70693998addc656169963ed973a93c0c81562c12ca52d07ac94cd628e7cb9909ba519344210cce4a36c64701f78aad

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\libcrypto-3-x64.dll
Filesize
4.6MB

MD5
abbed3f87da630930d274871cb794a4b

SHA1
40398d1aa2c9b9be7aa7744e311b67b5296b0450

SHA256
7e8caae0c0e6bf6bc5ece9aad0cae238246a5a98c3409745f571316a50aea54b

SHA512
35c04b8ce4702bd6f8629011b382941d24a3122f8d6394e1d6dff3c11549993b16f2d1d4635f16b1d33aa0d5fd0d335d103e2199383934d52527366d6eb624ec

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\logger.dll
Filesize
43KB

MD5
9c93f9c583bb077a23f50c5d64cf1bb9

SHA1
d2b2a91bfc9b6cbeccef00a0b8c49f0ca201d78a

SHA256
6434f084d00beff3a67b9a20eca0c8a1940d380bc12990258042859cd98c5a20

SHA512
27db1a016b6804a5c03d78d163eb6588ffc024c4bcbc0d1c582cdfd7081f351a5ee9beeb6684ca70fb9a1ee24f0eaf0cf8e18120efc5f347db10692d931c04f9

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\msvcp140.dll
Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\msvcp140_1.dll
Filesize
23KB

MD5
0832532fab0d5c949aa0c65169aa9d61

SHA1
26f1bee679b7a6289b663c4fa4e65eba33a234e8

SHA256
8731a93e519c2595c9fd489e6d9ac07e964448c0da1c8ee9ee500a7989482617

SHA512
03147a59ee35fb3d2752d4c40741a39674ccd4474a575746bc574d2b2fae1fd04f5ab9c2e02b0dc6268fc6aee8fbb46dc4bf5ff23b5fcc4a0e9b847f57ca79d0

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\msvcp140_2.dll
Filesize
182KB

MD5
e35261e9f4478aabe736bb2269c20b59

SHA1
f17330804c159418d4acf7a803662b8c1f7686fd

SHA256
366af8e071f004da5d95a832a46b2e8821a8e0294340a93f7c95cf48c441067e

SHA512
2694d21431e9b72a9591c4658dc3ade5795a52fcf2bc8631928181a7aeee49184cf741d50e28581b96d439360d21cb176c6bb011db4fa742a2fc64afa38baaf9

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Universal\is-BNBBJ.tmp
Filesize
1KB

MD5
63340c8fcb71734ce4bbac29a86821b5

SHA1
0cfd02b3e95fa482cbd4bd83b0f2d9214acc9709

SHA256
78b5fc58e6d881d16351e92d32b8cadea6b14fbf8c20c1bc7e56d02946467ae8

SHA512
fe035bb77a32d0fe9d4983d90c65d4c2600a019ac20743dbec409f29ffbfbecd8bca2d15abfffb2e71b77e3c105e248627a176942cdf9d7b98ed9113e6f73ba0

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Windows\is-URBOU.tmp
Filesize
215B

MD5
2006d4b7d0da455aa4c7414653c0018a

SHA1
6685b8360b97799aa4d6b18789bf84a343e9e891

SHA256
a96c7bf5832767bdc9d91e2290a3920aec3abfbf2e3814bce38b49483f16f84a

SHA512
703804e6fab0cf44317b7292c547a1348e2e7395e4b71367c32c3b097bcfb3344d3296179bf4ba33a4c752ae58a3873af57d8cdef35a34564205356bb4e6fd84

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\quazip.dll
Filesize
227KB

MD5
514b4dd973694fe604c7ec22a3ec8481

SHA1
6285f9ce01e9d061e4d936b7fb44635a9ea19d93

SHA256
367ce7cbe3c20048ff6a19383b762efb31a3b5313fc8169a01c9256afd2cb7fd

SHA512
4eaacd3a196959d6579bb6c716dbba3d2ebb2f3121641c7b536839bd4c7744da5eae8315f65a4585f35bf76126a4468485b609a4ae9a2c62afd56640055352cb

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\service.xml
Filesize
2KB

MD5
85c61b85b0ffe2609b00379a5512790d

SHA1
2dfaf069df408819b06916381ac80b3ec097214c

SHA256
24f6062b8679b4140b5c15900deefa8ba187ed5e3c5cb8efc91b26b31769664d

SHA512
3a18c17ddcd10cd89d1c666134f13be6ed441fbe2c36a9567e894c0e1674232d5882e696ad2d385bd5eb4d50b6a1b4225bb992389aad93a77b203318293ca6fa

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\vcruntime140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\vcruntime140_1.dll
Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\vmsclshared.dll
Filesize
698KB

MD5
8a839a29430dca22865dff4f2b5b0124

SHA1
600e3b1d00ed8b49e0947a470862da7b8944c48a

SHA256
0a8dae7bde1b75351c0f2a030e811f15cf2e341c57828bff22228539c3d574fb

SHA512
a374f2313e0f64bde4abf81fb5230cee4a8783c705824d55d44cc45157d272f7a488a4d911ac082eb9851ea4b57fcd817161643538e7587ba8a0feb2274d43c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
4a7c9161cd3e1437f97c16d2fdc6d19d

SHA1
a4b117a3105c74077f31a4cd06e8ede3bfacb749

SHA256
029f62430ca037fad6a2ff37578d50d59e7c0e92867f08042573c2f7436fe771

SHA512
e466d6a3c1ad5af7ac96353c2285eb168cd9ef6124f59e9b306dabe25132cc10e73e3fad6836cd34aa20954da7fc3db34229e889ea7460a2986d2aea216a03af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
afb1fd71147daf78413ed7826cc4ed3b

SHA1
676d71bcec53a47a09c0050341ac1e22a2b0bc4b

SHA256
b02ee79018f6a6809029d2edf863adc289ce43a2a635ec8dab3302b2862b2210

SHA512
52e76d8482b038cc6d158b93e8b26d053fb5c038ebc90a697dbd1a5ef80c5bd66aab9c6c6d1f107709f75f338bbb0a8baaa9420e6bb7bc00e36d049a385bf6c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
880837d2798c7b24abc75ec3b360645a

SHA1
816daba787dd0f466dd68f4c603b46962be4b601

SHA256
0ead0773ef24cda3e8ed19b5785b510b2040e053c25b3be3cdf9690f6036799b

SHA512
64fa94013393e264d23782dd4fc2d92c4a25bfcc9b457d8393e674d84cdfd094404cf7f0a0b44cac012926be6fbebc417ca384a33bb71637ea14699e45ab5e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
19bb7e7c76641292df1b193fa1273c5e

SHA1
5765f051229640b634be1f4ac29084004ab96187

SHA256
096811ac5a9ec512c41f707dd992b9ace9ded5c614441c7857bccf49f81a8f1b

SHA512
f619705d274a74ce3ab3119b2cee225660ca48c7aeab26f3a984328be21c12c8a0348aa2a84a13240ed7495b2f81105dd4c82fec4b3f60f4ebe6e4e7d1f4fbcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
4b39f4c96413898fffb9328d95deb74a

SHA1
7eee5dc5b3c774c2e7cf36960133d54a506421af

SHA256
c79c022128807924a7415833bf55f0c5e7931bd2510c7d38487ac66330a022f1

SHA512
14c31ab1b7603db070029cce2a5a4cb3c1de1849bab9a5d829077a0bfe4af6f8db29d007428d79bd36521066fcee7745f42fe3b9d9ef367144a7075c8d2f6fdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
9db0ce3aa3565b59e4d3d78da6f6bc0a

SHA1
3f0beb5d17faeb0dbaaf126b9a62d3df51b75ed4

SHA256
0eef60223661943816877c5e281454d2fabbb7d71451717f59ffd0f18609c839

SHA512
fc5c69f6e18b2b488696abce9906006562d752da2e4862e32e2ef2b27830b4cba452f007bbb95af57ebdac81c85c047b38b58ee87208a5e38a193f492481a3ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
ca43bdd9a0a6cec34250d00c1eb7e510

SHA1
31e229002181857340773aa8ad3a1bab04bc9d60

SHA256
da6e1971c252584a1b7275649cc315b30071bc52beccac9b62d37781df4021ad

SHA512
199b4583ebcd9b6787674e68ef0c9446dc9d84e35cd390bf9188ab427ffa690649f05c681cd30fe585b55363cdbe40163c9b0450101491fefcfdee092ff5162a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
06cf0bf900c10565f0a7dbbe21a048d9

SHA1
c4472609eb8e69b6b1097daa3629752add0099c9

SHA256
6255910f1f4fd46d6899141adb3e4323322c3fb59deb8f1ce56236ea3a1bd874

SHA512
462450af73800f4908b432d2900bfb68e2e9b1262c2c2c1a9ce97bca7ad3cd8d5ebd37518e9b517b426dad5aeabc9591dac1bc95b68a5d10cfdbd889efb3f8cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
54f95a6b0c506f1fbf79afc4cb47e425

SHA1
03e8a33934e6170d7ed0bea1cd64d2d8cb5c350e

SHA256
1386f870ddf85265960c53f574c76427ac73b0453e665e23bbb373278c47e7fe

SHA512
3f9221a7adc7ee2ce430b3568ed1724799e3712b0117bb4ac0a7facd68394e4a26c99dfdda63c834e88b3543466f1c10d887e34d7dcdedb16f72c11e3752ba78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
10a527ff254e48b1039b2a47b71a758a

SHA1
170086983a1341196279360a0f3f8bf4f9353d2e

SHA256
5cee5f16e5c3e5628141d90c31e33d0dd310bff805109c0ec1dbba72ee82c7c6

SHA512
cd8a30ece0fe3d9c752b9bcae27ec6c25a48ab6b0eb2c0cc3ad7d670d6a692372446ca700b3de7b61289921465b7125f476bb71effb2f5156ccddebbf65bc84b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
3b751538f0fa4657a2304de7a9685a4b

SHA1
3a080c2bc79d914148d526ea3f41ec961db624e6

SHA256
d07da9722f462d695b2872d215a1fb5cb2b58a4ddf45c641c480ee33630717f0

SHA512
b1a2b6373fbf6109ce797c013f376a7382d014a36cbd7c58839795121ddfa9616ef342057095e311cf36e08002aff4666ea0215ed346bfbe534c36e468cff714

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
205KB

MD5
3b7dc46a1fc2f2cce47d12b4c8a92eb7

SHA1
6ffd4cce6dc6989d71088be155900c67f477b0e6

SHA256
2dfc3bbf2b84438ed7342f9d8e060724475a4e8032d43290684f8ab5dcfd88eb

SHA512
a25fdcf8b44caabd902e0eca538d4c15f0e6ae73f385dc035eafa048c14554364a379f130555d178a96a21db8047dfd1a2b416ccd71c91dac00c1d312bb76da4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
205KB

MD5
c5f43e617843c23c7c0779f533ad1c5d

SHA1
b99d56d1bfa028dc43d92daf43da579c38cd0ab0

SHA256
6a944a1979af82864f523761cda8cd85c53451b6c0ff92f0cf3cf396e720280c

SHA512
8a749b22dee5a35557c806f793e54d1dee882c15e9e285a273006f9e00703a2b8563d08d2808e3be1a8868becc3e1ac8033e12ae921422a127af0850c80e1dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
205KB

MD5
c97681f409fba3d0aa530ffe89db2114

SHA1
ad8e8bbdf07e46ec9cb2d8a8327d0b1ec71c36e1

SHA256
437c8738ce35d28042a5421acb979d5d74a027e70600d1f1a2b7a9012205c066

SHA512
d567107a0881c14a2bd7567207d8e334a49312732cd3d2f8a9380f1ca8b62e7b30e5d3e7b67646f15e59efb586a82f807a50a9e776cee2b3d8a91b2b70fe20f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
3ab4a4065a1259e48cb8f035b7084864

SHA1
8f707483d2ea4c100d43f925a2144da6f0c245ad

SHA256
78159ed830c7cf4c324fa5275d0820e9bd797e255c109ad470261328e41aeb8f

SHA512
1a2576bd4e4a3509772ed996855d425eddab95f6d62acbccabc3ecc34d6fd23001d07c3d2a2cd38c2a7d48c746ec48c7b5cb5b41b08a517adc062a30c54209e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
03296036dd2cd09b491892cd3f140e73

SHA1
6809c6125c6bba477bf103a311267d03805751ba

SHA256
908664cf4bc16b0e3e860036b6e0cc25a8ebb27da37438b8ce28dfee69c51c03

SHA512
c97ec4322fa8de52048e5702439e36174add9b925f6b7b5a65ce65b40791a6c81a79866892fe667d9a7840af283988f3b13b864901c89026fa1513c3777e13af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
30KB

MD5
d6777a545453f6e7b4f036046f24d2a1

SHA1
edd8ceab22163b90595ebd4cc155766bd93651fc

SHA256
f17e12ac6256f05542bbdf928fbb5496eaa0a4242b2c4008ea806c2dbcb9a17f

SHA512
9e863cb8535b449279b6c37bef1e8e71fee2404305d5f4a66370f9cd674c2812f982760ca5db034c9e25b690e9645c78cf04167f2337231b7e941a3872356ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a89c3b90-cbad-4be8-a2c9-f680b6ef3952.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
44KB

MD5
59db4746c08414e30ec32171af925589

SHA1
255bada09ee94b9c10d534c98c4f1835b5a0291f

SHA256
6578af882f3e1267370fdbfda7ad5cf24fa520b3b93ea747434df014e8bf601e

SHA512
eae10d83ddf850eb619ea874aad89f650a853ddeeed06060930a5ff51e19c49a5f2c964e3a78fa638022ddb603cc0f1f095862932b2db381a2719a935b3b5a71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
49KB

MD5
43bc28d825d452076e3ca738fcb637e0

SHA1
2a31429ccb6a97e2211c2773f6ee241337df02ba

SHA256
79a9175fee47222be3fa1f9daec33e3b85c016311ddb397a28c252e52cb29d56

SHA512
a322231bb30c966f34c69416d3d5ead599b852f6e1c6c893836cc8877b48563de535058f25aed2d70e39530ad91385d8f9ed744c700605ec588c9dc95d98e014

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-69RDP.tmp\fdm_x64_setup.tmp
Filesize
3.1MB

MD5
60f76f6e78d966f31d9c574c7465899d

SHA1
2c231f5a57d294ab2b6c1fc6f7902fb453fbeac7

SHA256
ced610b7c01111d289a511d35ada43d94fb4b2537ccfc0317a23e1d3eecd3bf8

SHA512
59b67dd82d6f3cee823d7fba1722455c52479413664f816c6756e42bee877ba854844b10c90d22e63b3631e3b8b83dbf35912507b7fedd7fda4f2724888e2cf0

Download Submit
\??\pipe\crashpad_464_SLSQGHSQBAQNBMMH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2128-1715-0x00007FFA20160000-0x00007FFA2078D000-memory.dmp

Filesize
6.2MB

Download
memory/2960-1667-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2960-1659-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2960-1558-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2960-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2960-8-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2960-144-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4812-1670-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4812-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4812-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4812-7-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5316-1565-0x00007FFA1F5E0000-0x00007FFA1FC0D000-memory.dmp

Filesize
6.2MB

Download
memory/5784-2194-0x000001FEAF420000-0x000001FEAF421000-memory.dmp

Filesize
4KB

Download
memory/5784-2188-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2177-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2175-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2174-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2173-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2172-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2176-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2200-0x000001FEAF420000-0x000001FEAF421000-memory.dmp

Filesize
4KB

Download
memory/5784-2199-0x000001FEAF420000-0x000001FEAF421000-memory.dmp

Filesize
4KB

Download
memory/5784-2198-0x000001FEAF420000-0x000001FEAF421000-memory.dmp

Filesize
4KB

Download
memory/5784-2197-0x000001FEAF420000-0x000001FEAF421000-memory.dmp

Filesize
4KB

Download
memory/5784-2196-0x000001FEAF420000-0x000001FEAF421000-memory.dmp

Filesize
4KB

Download
memory/5784-2195-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2179-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2192-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2191-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2190-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2189-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2178-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2187-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2186-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2185-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2184-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2183-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2182-0x000001FEAF410000-0x000001FEAF411000-memory.dmp

Filesize
4KB

Download
memory/5784-2180-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-1722-0x000001FEAC180000-0x000001FEAC5C2000-memory.dmp

Filesize
4.3MB

Download
memory/5784-1724-0x000001FEAC5D0000-0x000001FEAC7D2000-memory.dmp

Filesize
2.0MB

Download
memory/5784-1664-0x00007FFA20790000-0x00007FFA20CD5000-memory.dmp

Filesize
5.3MB

Download
memory/5784-1665-0x00007FFA20160000-0x00007FFA2078D000-memory.dmp

Filesize
6.2MB

Download
memory/5784-1663-0x00007FF76E490000-0x00007FF76EBBA000-memory.dmp

Filesize
7.2MB

Download
memory/5784-2169-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2168-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2167-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2170-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5784-2171-0x000001FEAF2E0000-0x000001FEAF2E1000-memory.dmp

Filesize
4KB

Download
memory/5792-1548-0x00007FFA20840000-0x00007FFA20D85000-memory.dmp

Filesize
5.3MB

Download
memory/5792-1547-0x00007FF76E490000-0x00007FF76EBBA000-memory.dmp

Filesize
7.2MB

Download
memory/5792-1549-0x00007FFA1F5E0000-0x00007FFA1FC0D000-memory.dmp

Filesize
6.2MB

Download