221944cf8cf33d706f1418545c2cc5f375743e0cb2db913ceda97b7eef31f776

Resubmissions

04-09-2024 18:54

240904-xkj9kavdjq 9

04-09-2024 18:42

240904-xcj9lawdkc 9

Analysis

max time kernel
262s
max time network
269s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-09-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libEGL.dll
Size

473KB
MD5

4c01b3614be1f38a6d594443a547c257
SHA1

7eaa456b164613577d0965ab5a57ba2b681a6ffa
SHA256

e36da1a4228899bebe50cc5da1fcbbc590cdcb3ddee0b2a19defd99a805b6ed4
SHA512

b72fc071dc791c63978465a68c9a4904d5f1c458d302bb710e83576f20ef928d73c487248a305bb455990c2d8a6b894ee47d88bca6bc92360f286849ae1a1257
SSDEEP

6144:fx7X9FY9N9dlUxMxHbjjvKir8WQ3hP3yUo6DyKuyY:RXgNlUixHbjDIWWP3yUo6DC

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\HttpDebuggerSdk.sys	HTTPDebuggerSvc.exe
File opened for modification	C:\Windows\system32\drivers\HttpDebuggerSdk.sys	HTTPDebuggerSvc.exe

Executes dropped EXE 5 IoCs

pid	Process
2036	HTTPDebuggerSvc.exe
3232	HTTPDebuggerSvc.exe
760	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe

Loads dropped DLL 16 IoCs

pid	Process
3008	MsiExec.exe
3008	MsiExec.exe
3008	MsiExec.exe
4848	MsiExec.exe
760	MsiExec.exe
3008	MsiExec.exe
3008	MsiExec.exe
760	HTTPDebuggerUI.exe
760	HTTPDebuggerUI.exe
760	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\libplc4.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\nssckbi.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\softokn3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerBrowser.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\drv\Win7\HttpDebuggerSdk64.sys	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\drv\Win7\HttpDebuggerSdk32.sys	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\scintilla_license.txt	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\zlib_license.txt	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\drv\Win8\HttpDebuggerSdk64.sys	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\Styles\Office2016.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\nss3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\nssdbm3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\cximagecrt.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\license.rtf	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\drv\Win8\HttpDebuggerSdk32.sys	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\sqlite3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\freebl3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\libplds4.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\nssutil3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\libnspr4.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\smime3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\certutil.exe	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE1BCA722415B55C8.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9347D1A3C8B8FDDF.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA475.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{3AAA8F78-6858-4344-8675-C73E1573CA0F}\HTTPDebuggerUI.exe	msiexec.exe
File created	C:\Windows\Installer\e59a2ed.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3AAA8F78-6858-4344-8675-C73E1573CA0F}	msiexec.exe
File created	C:\Windows\Installer\e59a2ef.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9B35D98043CD26B5.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCE7E21A3353173A2.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e59a2ed.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3B8.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{3AAA8F78-6858-4344-8675-C73E1573CA0F}\HTTPDebuggerUI.exe	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTTPDebuggerSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTTPDebuggerSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTTPDebuggerUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTTPDebuggerUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTTPDebuggerUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000700a100e0a6bdd5f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000700a100e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900700a100e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d700a100e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000700a100e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133699500366159559"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	HTTPDebuggerSvc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	HTTPDebuggerSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	HTTPDebuggerSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	HTTPDebuggerSvc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\VersionIndependentProgID\ = "VbMHWB.vbWB"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\Control	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{33658027-1004-4E1E-8D35-C9146DF87919}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\HTTPDebuggerPro"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\ = "IvbWB"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VbMHWB.vbWB\ = "vbWB Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\VersionIndependentProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\InprocServer32\ = "C:\\Program Files (x86)\\HTTPDebuggerPro\\HTTPDebuggerBrowser.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\MiscStatus	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\TypeLib\Version = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VbMHWB.vbWB.1\CLSID\ = "{20247C83-3429-47B1-817F-C99F29D2BF3A}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\PackageCode = "95D461321A43EC94B8CA54DA9339604F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VbMHWB.vbWB\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\TypeLib\ = "{33658027-1004-4E1E-8D35-C9146DF87919}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\SourceList\PackageName = "HTTPDebuggerPro.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{D61316F0-93DE-42CC-893C-2700FF2164B7}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\MiscStatus\1	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\ = "IvbWB"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\TypeLib\ = "{33658027-1004-4E1E-8D35-C9146DF87919}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\ = "vbWB Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\Version	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{33658027-1004-4E1E-8D35-C9146DF87919}\1.0\ = "vbMHWB 1.0 Type Library"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{33658027-1004-4E1E-8D35-C9146DF87919}\1.0\0\win32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VbMHWB.vbWB.1\CLSID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{33658027-1004-4E1E-8D35-C9146DF87919}\1.0\0	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\TypeLib\ = "{33658027-1004-4E1E-8D35-C9146DF87919}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EFA6D6B88BD56724E9FE0AB5852CEEED\87F8AAA38586443468577CE35137ACF0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VbMHWB.vbWB.1\ = "vbWB Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\Programmable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\MiscStatus\ = "0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\MiscStatus\1\ = "131473"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{33658027-1004-4E1E-8D35-C9146DF87919}\1.0\FLAGS	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{33658027-1004-4E1E-8D35-C9146DF87919}\1.0\HELPDIR	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\ProductIcon = "C:\\Windows\\Installer\\{3AAA8F78-6858-4344-8675-C73E1573CA0F}\\HTTPDebuggerUI.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\Insertable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\ProgID\ = "VbMHWB.vbWB.1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\TypeLib\ = "{33658027-1004-4E1E-8D35-C9146DF87919}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VbMHWB.vbWB\CurVer	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\87F8AAA38586443468577CE35137ACF0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\ProxyStubClsid32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\InstanceType = "0"	msiexec.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 574426.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HTTPDebuggerPro.msi:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MixerLap_x64.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1880	chrome.exe
1880	chrome.exe
4968	msedge.exe
4968	msedge.exe
4424	msedge.exe
4424	msedge.exe
1560	identity_helper.exe
1560	identity_helper.exe
4092	msedge.exe
4092	msedge.exe
3260	msedge.exe
3260	msedge.exe
3728	msedge.exe
3728	msedge.exe
3140	msiexec.exe
3140	msiexec.exe
4928	msedge.exe
4928	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe
Token: SeShutdownPrivilege	1880	chrome.exe
Token: SeCreatePagefilePrivilege	1880	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
760	HTTPDebuggerUI.exe
760	HTTPDebuggerUI.exe
760	HTTPDebuggerUI.exe
760	HTTPDebuggerUI.exe
760	HTTPDebuggerUI.exe
760	HTTPDebuggerUI.exe
760	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
4480	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe
3752	HTTPDebuggerUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 4280	1880	chrome.exe	81
PID 1880 wrote to memory of 4280	1880	chrome.exe	81
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 1044	1880	chrome.exe	82
PID 1880 wrote to memory of 5112	1880	chrome.exe	83
PID 1880 wrote to memory of 5112	1880	chrome.exe	83
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84
PID 1880 wrote to memory of 1084	1880	chrome.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
1⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e57acc40,0x7ff8e57acc4c,0x7ff8e57acc58
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4844,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=212,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3492,i,16716566966565549774,8681475885053786376,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:4284

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e5cc3cb8,0x7ff8e5cc3cc8,0x7ff8e5cc3cd8
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3728
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\HTTPDebuggerPro.msi"
  2⤵
  - Enumerates connected drives
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6956 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1856,16703786090026567909,2510432451851692991,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  PID:1504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3140
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BDB7120E6EDBF38E92896E8BB4B23377 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3008
- - C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe
    "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:760
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3728
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E032C3073AF40C4D5FC7679B9086C996
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4848
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerBrowser.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:760
- C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe
  "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe" /install
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2492

C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe
"C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2036

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\2576849eb17e4e2f8f7860fdfa24624d /t 1508 /p 760
1⤵
PID:1868

C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe
"C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\8b239ad5ad8f4551af536d50487941e2 /t 4684 /p 4480
1⤵
PID:3052

C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe
"C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4736

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\2b8fae0dc937403f9b5d2d7b41e734d6 /t 440 /p 3752
1⤵
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59a2ee.rbs

Filesize
13KB

MD5
bbd0fac7e00c43f719ab02155c3ea82b

SHA1
ea91295ce710a3206094b8d133d82f1ed5a540b9

SHA256
7a2c2c516b56594300a08466459bbfadc661e1efd4ce3e7e2ad751ff6bd180ef

SHA512
306a56a6d0792dc8056dd26b0dbbce981416954bc371e019de05de460db052250cb7a2321946ecfc4ec6a015061a4303671834875dd06055974fe0aa53770528

Download Submit
C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerBrowser.dll

Filesize
575KB

MD5
4facbaab17f633d153a7b53fb483b22f

SHA1
9e0e7bfbe927b1a77133380a2f76531b9416962a

SHA256
c557b766a00fd4ba6950c08c6133c20e4dd800139a19d271d46d6feb31ebf870

SHA512
86cccef12998201c28c257204cdcfdd339ac5e65c5d6627ffa6e5d88f57bdd94812dd7f657bbd3b01b88679abe92343496be775f2d7ac1f3d59573a0b696d832

Download Submit
C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe

Filesize
1.5MB

MD5
5b3c641fd1b48108810cc12b1971ffc2

SHA1
0d38bdd2d0654391b4737db591f2f1e19a9d8a3f

SHA256
f6c8009319b95d3d94c8858d831563b2568f98dda478b6a784ba5a828374e7fb

SHA512
4c2888ad3632bcb9efe06fc15c65c7a0ff9f5382e272ff7402f00a701a8aa3a4d9e467630085dc47fb9735ded898e995af1e6259472f0f4954d77b55f2f8944a

Download Submit
C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe

Filesize
8.1MB

MD5
d6ab0e25b4f76ca11acb71eb290938d5

SHA1
0269f40ec4936edf9eed2b1065a631dd895776e4

SHA256
555b66eabf40ca228d6a285862e622b662a528ffb68aa01a3bb27b4132188de0

SHA512
5417a45ef64accfc7fc5b282c089b2046677f74249436ab4112ff5626cd6ffe5e9524012f093faf13eb108199a0c281ed5f5f7feef6a7db38ed1408d10e6039d

Download Submit
C:\Program Files (x86)\HTTPDebuggerPro\cximagecrt.dll

Filesize
1023KB

MD5
a2fe19b6b766a12017c8be442ad0cef2

SHA1
9e5bed747e57e7c7141fabe3d9cb12c863d4b2f5

SHA256
35b71d192854edc95248f77deb824f034e903447319459aaf454269650fd51d3

SHA512
9969acf85432029810cd1eb2f7a65a3bc19d603749ecdcd2301645ad342bfc29d977c067a081a395afea4f9a5d199c982c4374d2fe6a2cedd9ff659af2101c7e

Download Submit
C:\Program Files (x86)\HTTPDebuggerPro\drv\Win8\HttpDebuggerSdk64.sys

Filesize
97KB

MD5
947c624c4bd48f8c66fcd00fc0f947d4

SHA1
5266036308e0d0eb837cc3126dba5a0b6ec270fc

SHA256
2e89606775ed719b9d950ae9d37e819a2567426fbe5c3e0aad8d86fec693b67b

SHA512
2fd940253eb2c4f9da9ceb9516b811f28bd8187fb3d819a86f0ec37f98c30d0a9b510652b0f615fe15cdcec1bfeff435da7b42407bb29faf2b1d58ce13508fc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
3942ad2060dc148204dbeb607b3bd364

SHA1
c4b6cf131065fe9de2773f5a6b7dc4f99450e230

SHA256
2d8453587c47bf131790a3b635f4283fe1bbf675855abaf7876298f04e1c7eeb

SHA512
1fb9196fc5db5ca4d14946c660cf405b73f89de147ab6d191f3c98a19b466f4e46bbc8958bdf7c93c5bb81f8b1f63a50222576ecf2a8520245517e9aa3f8bc45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_76733C28E3E87E78CF09C0BB924E316A

Filesize
638B

MD5
6ed5eedf2fe9210bf460eda026bd0d1d

SHA1
a14b18fee5a02ecb8733f42781e22b6c39c9723e

SHA256
b798590097fd57868eef21b652f27be6937d1aef150776adf1d12286a7fe7094

SHA512
af8b3e26f6de9caee65e16054b4e71efe0063e8f97c42d7c115414c5c174b3fb3e97d2def29de10e1d29059b79beb8afc2397fb16d19d31d0fbf8cc260a16ff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
52189e0e2445713fe9c34f8461f6c242

SHA1
4557c07820643723a8f0d4bebad2f2b292f0c7b0

SHA256
f66b87751942986d67c613e833cd6570c2a7ef90b7b62728222784fbc8eb4d32

SHA512
d3c97b9c51eac49243de21d27392a9772abd01f640b95c6e4629f1cd879c8906a61329bf6b5903e2b9a389b3655dbcb7c54fcd31f34f2f832caff18d2d31af62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
a9992a2e4328f56530acd453fc370684

SHA1
a90596702fd4c946935054797298eb9994bbebaa

SHA256
334c918076e6888fbbfa8124f59d6a291283ea15457d55d264cd00f4ed3e5736

SHA512
9fcb6cd9de7965376546a280860d3feeedb82f8647c0bd153d5a42ac5e04bb29e4b21d6918c91d78673928108741f2851464c45516619d24c238ff59608b3102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_76733C28E3E87E78CF09C0BB924E316A

Filesize
496B

MD5
374f6cf12856e5a82377cce735bcb296

SHA1
34dad7ca65fc4a56fa7e19c3545479ab62f8cda9

SHA256
375990081e0da07b832a6eb55dfde42647e22a007ef6a34f8f88746b29593fb4

SHA512
5d42ea31df16844eca307b457b26694bdee3f5a4d1b8e8fd1598591a9d2eea192dd2e2987f8fe3acea2dac0ab7251f36b9d81e8d793ab20c98d66f60a6a53f45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
ccf9c6144e2243b7d221aee997c57762

SHA1
edfa14694bb788e553e56d06b338d60f97ad1483

SHA256
eaf0671a796647a230c5919bfa0fdd775a388a3570e5ca817c555b68e4b89940

SHA512
34ceee43402c01c042df40f86df15bc3dae42291fe694e3293733fd29a9870e62da81f307051418d63f3ea1a6eb53007a6fb93f57116fc9d660c82ca3c332244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
36b2a5fcdf8092421d08398414a7f6b5

SHA1
61eb85dcf2f1c1c3a925bba20edb428f258a78ed

SHA256
d8f8e2a60bad217d5d3a81e4500a3f5d77a519dbc7d288c25a8e4d186be66c67

SHA512
8a3a06357af43ffb8780d79b486c8fbc240b0941665fc8b6bf13eda0a99a92da3f689d07b63688fa97a5073c908dbc3916074bc175b6bd3cc23045c138046ea6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
8e0826ad1933d4f98b19bd28ac929ed2

SHA1
0d80634fdc322eaeda2cfa096df7bb1bc7ff197a

SHA256
c705bbc54b12228fc87861b41cb4039ebdac8972fd5ee81fb908426649beff9f

SHA512
ce9ee27a4d0754848ca2ac804901813eabb70fe9d5a369e3b1bbc0be1c031349880ca8200cde8e7d4c05cf9a4390c952105cae8bb5dbfdbfed364da7bc126619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
04d28faa9efe4cfe3b7523b8cd557883

SHA1
8de7c6bfa87930a6ef10a8814e02ef9b596563e2

SHA256
8f68001679ae2b851d5ba91d4e0336a6d8a63c0a3182d5a2e57ad46d14a6b9bd

SHA512
998d2cc4b5fc124bc62bcd80c7b5a32f7fdabbfde8a54065a86fad506f28f960391969c46baba975e53d04c4dd72640dfb85abf484b48ba7b7e5d94da9c14546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
00e83ef7e9884cd96b7cd5f4c6c8817f

SHA1
b1b850877cec7b28b681cd9ffe77d136e1ef0a18

SHA256
248b1a31e96abddc65b09dfa99329597f226a3244db57aaa1af01eb145988788

SHA512
0b807ca072a904d36d25d040ceb30dec83ada19e63f839be46e876505d094780d4e9dfe55c9d47380cfd282ec55a6fa69eef188503c4b2adcb6755aadbd3e967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a51577316e95f4df36c616cdf90b6af2

SHA1
820cc0cda9fec4b680f34d63b762884920ef71d2

SHA256
e8960304cc85ab38f4049577c4a4710a15815078d3f373f79229986147d702b1

SHA512
37117759eba0f0c55cbab57cd8c7a79a885fee21a25caa1598ea0af2a085c5df35994e863b357c38c09fbca8bafc6402a4ac9b05dc03c2b56233bcd6a712701b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b76687dd74e0b84a7bb4bf14d7c169c

SHA1
8245335b2da726ca0911f147c9dcb9d9ca5f4f0f

SHA256
480f71831e2c6a80f8bc072c838c2d41dd88244fa592399ded054320f31e4559

SHA512
e90ff08010d4055572b7b0c0dba605b77f5decdb9ffd1087ba2d6fa4b6c5834b8aae08b643895a4f63ab39730a715443300a73e2244596910aca6e14a7192f1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f40f9f9dd44764a5098a37b97fbb2ce8

SHA1
77a0287d4b05b8f22dffa2f6b2702223e9e12886

SHA256
82d58f136d2f34d41a52ad90bdddd8d410088a830496664c7839c55d54c293ff

SHA512
8a6d89f88c4f61a199a63ea202d9e7b367996216887e8716b4de90e535f0dbc8f7806d16087a84f5e4b174c855bb6db1f7e850ed700aeb5c4057de52a80c3f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
008033638716e98eb530017d69398ddf

SHA1
669e003f96ee6feb8b1bd6214175bd0e5535a00e

SHA256
9072e64bf1c18765abbcbe28462d42087e0d977edc635d64dbcdab9adb4aadcb

SHA512
7f75bafcf5cd2d6cc87aabdb9847c287ef89f11e0d38f2bac411a92c9f94ee8a0eab24336cfe06bca153b8923cd2be547ed78af63dadff7a06ce48b82c313cf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e522eac2ac54853ba9d4ac680ce759e9

SHA1
6efb161a56ea0a514b8e826b4a37e578572d85a3

SHA256
4ce288526a80b0f388019a2416688ce9c6e87efd5a003bd95a6b790efcc867b1

SHA512
fc3e5a7a5bf900c03804f83e332fed7ba1926a230791a2700ee01e20fe7fc5e8023b7b3d5ecbc6f05b2d32d5e6067e636f311ef2765f64a038d208d7a36ea4d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
ef2a2e0e93a7840bd1bb8b6926318740

SHA1
c915463df4e45e806b959d61e3b980a948dbd12d

SHA256
74bc845884634947252b7bd2a40948b7da00b61aa48ce5e62eea8ee8e190e10e

SHA512
0be5a01df3660e00d8a22ea7d60b732e1ad07d7fdba3ce197562e0f4194afb1dd868c6f582a03ef787556c207775244b654a18808d71e31352ff1a3ba8ebd0bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
6339aded62fba4607787c84668f00428

SHA1
fd30a5ac803367de68a989073be94f5a06960cf1

SHA256
9ea6cb434fea2674c69b7258a6ca3b0076c4fdf797472df9c61db54421da7e05

SHA512
7982203ae444f7739dd599baebbbe118f26b9c8ae9251c3b46fc49a7bb0f6c769bf329832bf53671e2c424051add9854971f6f208f60b6e5a229b8a8bd68acc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
9445b778f8b8be447dfdc50ff2304fbc

SHA1
bd47257247a0556867f59130241d043d815793e6

SHA256
4d611b164195e7e8e7f5da73a260924d687e51d214cdf9b43142e01c03ef6397

SHA512
f063576f1d8ccd361783ccac3db9baefbd1b442caf09ddc4d6c49c7268841eb4b667259f103d48392d5be9896b9ffed86fe62bc6a1775f77d4a5501845bc2634

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
9214591c8e09c7b0b575fa9c15dc3be7

SHA1
ca418fd08dc26bc64281a93d1680b0a04e57a4eb

SHA256
96e51f2b3e6194ead5e4147e8ac794c8e448554391f574cae6fc4d74fc1f93a6

SHA512
75b842fb8f9e04d3fad0660d110e66bd42cd48dc6c585af71198b44b6e63dbaec346b54b2f3b35a16e7b9c784c10ef5a0f2e1ed2cc7cadbc7331900fb355b466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
c6bb5dbb085cbae465c8f230aa309a16

SHA1
fd00f0a172daf9abbff144925b85dbeb14fb230b

SHA256
a0e95554a71f47d105ea008805eda504ebfb5ddcde772ca79e595304b7d1645d

SHA512
8e03e9424d0dd8a63ea1fb193cee6be9e35eebb053d300625b219221c4d7360ce560a0820e2aa7dbbbc0f2aa2848650896c14d75d37af75cdee178adf4b6ed57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
69KB

MD5
0c7b2cde4cd6fb8ea8eb66f809b4df22

SHA1
9e8f62c5052b0cd6571e930cbcdfb9daacf03a3c

SHA256
9718483a2bcd135051a65ee10591ea81c25aba0a4949ae21da3f5bafb9427be1

SHA512
86e27959c692bde604f61d2a53d506c7d624fd052ac4a7fe3fb4e0c051589b57f425e5951b4d0f8efaf6ec56df9a65ebb0cc0393f6f88a05ba7d7e875e9016ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
579095c76018df9d68973b87a38dace9

SHA1
78bf68d1e699e07d1f5064c765f2cbde9ebe5442

SHA256
5ee0e2ccbc5b32e8a444c045722c4f34020674f2309110d9eeb938a79a25a54c

SHA512
d3174fe663a7611c22352f6ac9c6ff89252a0e521d3949529d59ce207e12126c826b2d176b68d292e0e48b1f5bbd7e85baebafd3338b63bc25e3ca1fb131dc12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fc17f147d84b74f3c5e3e1b1a7309333

SHA1
8bbb0a09cc4ff5817f7e1ab6771728a44826b27a

SHA256
8bad431045914c269666812b753c9f6bc62ef5e21811fc90140696ce1c3a4115

SHA512
f825b929145697b8cfddf744c8aed306512ecb01e4805432eba841db474901b4b74fd0663382c6dd846bb86153e1fb8e0607efb73a902ffd9a8955767764f16f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4c3dc5d0c26e743002f3e036bece5e06

SHA1
9aa30aaf84673285a2bc0072db47d049aa5602d1

SHA256
d9e231f171961c1023f1e0ad856c116f8ab9477974f8877be827522449807673

SHA512
46c25d2a92be445c370894a441fdb31a455541f490dfdab4ef301e51dc4664062fcf135515e244201569c36c26b87b09f63001e1034ad7df8a97208a1d9ebe25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3bf6540bb8ac1148d668af691fbf74c0

SHA1
570e220aee33c3b19483d2d3c55aaaf6e5a54946

SHA256
20a6e7d3e0230f27c0b10d4c8976d95cb388d9281426813793d9b94389fd4ef3

SHA512
4ef5f0e05c13969cd7469b75aeb05e991c5edf5f05194b9ca840abc3420662a566dd381cfe56a0ccfa0592168b01288b0991a027695e1965447b03dc32b32dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c2a0b5fe364c2aae2beded64a67392cb

SHA1
23d1539bf9732da3eb59a28ea5034122c0c23b8b

SHA256
3835e266dee84bcfdcea28909c755cffa7c4a96d923f95a4a82ef9366e36af23

SHA512
0f41ed6dcda1653efae9a1136769cc62bae27f0bee11519afda591077110f3f6e159bcc424f9e68d20a84269a7fc5da3f2e39c5deb7562ecbc4c23838a0c3f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
db9d26620afd5b505ee958c68dc55aba

SHA1
1bd5d4415e4bcd88c9da868a2cfabebe53f3996f

SHA256
cdfc491f14526ca5b2c98d8332201a66996907848ac73038ac51a975f4a18d31

SHA512
984b3be8312c301b675750b1649ec0abb33906573e12c66c16615d957dc5c78a2fc7d55eec907d1b3ba2bac1c675983664e68f435fb882da2902c23593b43615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
daadb0951e6fe7257f63b5b161c71488

SHA1
e13032e2335fc73555405714900ea1e885e92345

SHA256
8572bd308e8a9e5b189d3610ca96fb4c90b39bc581758f2547a75b7e480384b3

SHA512
cbf932c259776a50118dfe9651c93d88e0d2c5f30ea2d3a0bf1718e5ce88919b177c7c3a31d468328b38a584562e62af01f22cf1a5d9a4bf25f6a3ff6fb587f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70ccdee46334ca738539ef87d78401bf

SHA1
3dfb6b07f56df163852c638dc30652547d44446f

SHA256
3add1ccad3982d35f16ec77fe60049afca1668aed7a985f401bcc5ec983645e2

SHA512
c0bf463c93d5516eb19c190261e76711f7b2b083f1bdeaeb7f24867d3d6d33c47f1ceed1b76c86556e5db75a44496fcd263814822552f5abfe9c00583513ab4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1318a5484dc215a021fdff2f26d9d365

SHA1
eb7eef8c5e97ef1b1b886d314fa7a4676f0f13e8

SHA256
e7378de040732ed73747916ef2b9197e305bdbdf0f7fcbc53c442ba4b177ccae

SHA512
d95d3b459c370565e922f038c571a80b7af86feec14e25739a5fc6750e61adb7003f8f52d33f417196bb3c73a7a12f720bbc75625764e90d4c69c6dbb2d6762c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
aa0ae3318da705cf89bcdd4a58f56111

SHA1
8ff71fb9326cb9069af4ea513f59f3a594815702

SHA256
04628fa10e68655f6b83de4eb7cfef3553e176cc00d38ac12cfbcf9ac078aa6b

SHA512
a7bff90a9989d950ede6888d91315a22160ae55d0845e883875bb231e8cbc1a459a20d7748a0bbc5721d3842af5c9dcae7ad02fab3e4eaf21a18f8cb3efd35c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cf3022a47bdcab111af0568cdedcd380

SHA1
15717015364b3d78ed5104155b3143202a286e01

SHA256
4e9482e44000f31ddaeb5ab522f877f9909fe1391e83b96d03b9c3d05fc927b9

SHA512
e6ac6df029ac348ec402be96b9eb7e7bad7727a9862688ab59a5f7aae78b3d11981f119601c5e9f05908e96d4571024723f6fa090668a97eb64c82a5bcfbe55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1dce99faafddc6c096f6fb533d470e34

SHA1
21c56ad35f9016d5eccbe1124f00234c5f12c937

SHA256
3a90e9cf5fac21caa2e4956315598be162f8c27829fd2a9007bdf1d0b640f2ac

SHA512
dec1630765918abea7af139119c0b80cae2f7d3295d8390108ea2d8cbbb505d7de272c8410ae891d52cb19fbc1f7c7d2ba42923c044f52fe149fe5d3df69346f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
952a31fc6739e2a7be8ad0bbb1e38b97

SHA1
8786c5fd68081a27e9416e888404d3ac16046f5d

SHA256
5e622c8607b7b012997f173f2b134a23c93b3f24756c48ff8a17ea4885c0cb1e

SHA512
ab21fb6576e47375df33da61b0e55bcac6760db324cfa4c058e18f3a2f215c4088593ac70c2bcfd80ecc7cfce96f378d4ce7f01a93bd00d75ad0f92fc419fbca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7a6f42e689988a001497f6039f32bcf

SHA1
a839acb106ffa736269e9e875e2eafe61766dd13

SHA256
9dfb21f256a91cab13f7e74e2c58880f9e6bba43ef9e01c76520aa70ae5c3ae8

SHA512
1c8b11deae5ef15fe367d172462b79946485902f6957f973f9e078aa1682c2e7033696fc26a8ad641be4f15e4a19d3faf9427940ab630873ec651fc6d8284107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
836534311af88e0ecdcc4561553cc43e

SHA1
92533d4d8643b654a21b49e7a70047d8c74a9bbc

SHA256
b185d7f4eb9cf2e1a1aa13a7d9bf29c57fedb3ca60de4452da375e074c1e17a5

SHA512
07fa6632a267d08967feec5f6ae26f7a2a6bcf7482f688c5a5e2b4c966d402e8221744e8090e87cc3a4b504f223c3365b4baf8b40c40ff0d839c234c6441efd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2b7b7587d7d152bece4bf6aba683e32e

SHA1
646250e15ebd56661a1fc5c257d2eac87fd8e438

SHA256
a06d2ca6f7d3026b383e183cb997aeb6e745b117fd16c940d885b4cf17f0f08f

SHA512
dcf164df7bef7bc76d1f66165f822fa1fe16a8526676d78bb98e15f0e26de241f28fb465ed6ace1b43d6b255fffb91fe7abcf0d225f6f4772fda1373b21b8cdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
30fb91d9578a5d96ddc6722efae40257

SHA1
c2dc3d641baa8c39b64001eb789aeae836eb4d90

SHA256
abe0ab16ce56c50a968b53082e6d2d4dcafae1160a40218b2051b9d12f71e161

SHA512
ad718517aad1633b36a1a5f7bb2025c7e8fc3e215a20da8c8b574abfef9b6558c63b192d68687e814d84b502d5e7b028de68f583d578df4457a1c2ab9037541f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f785cffe493d5525f76580b2b0c8fb94

SHA1
3ba5d4ec46215969fd93585906029850f5c77cdb

SHA256
9611c93fc0f62215f27302185cdfefe13f236185790dadc4c6d663cebf42b59d

SHA512
a2da568e2d175ef1ec7be7218a647d9bfd80e42ecd0a52403e27552d2e8d32076bd3dfb036ac7e8283c4341871e51475be2b41f3bd2ac9f9dcc09dcc3946fad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a4cd9.TMP

Filesize
1KB

MD5
21f0cedef0190d50e01f4bd3c60f32ba

SHA1
7ae21caf858b2dea92e7b3659f0027f872b99b67

SHA256
d2c55981eabd2ec1949a93f1b0557893c82756049ac8894a345e7a19fa296106

SHA512
069e84683a7b6b4cbc94c6bfb29d48a4ced1b3153608a7aab842c7be4a6610e2dd8ee15842844c4b8c0acc8bfca8545bc0c722dc3ac0e6e8fc3a8a1eac9ad522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3041277a127b4e263b7439da6f546fdc

SHA1
ee8cafbb4cad576112b3ebab49478f93d44193ba

SHA256
0f19b0c70378cbb3989fce5e88d27fa98086940f61cd373a4b5c2314f045d824

SHA512
838b8ffd2a49aa62d481af49e1a94c78d7c908b0951f39ba45dc3ef73703ed1d4e57b2966396dc2b787fc0aabe4709e5f06ce5a230ba169fd93467fa790f446a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e16e1beb4e7a86cca444beb6e41b4ba

SHA1
40bc1ec8b5374bb0913045141faf726392704f5a

SHA256
b95a47d9b44aa9db3d4161c931ba198e8db840cc0f18e8011e634ebbaa09e869

SHA512
2ad4a19ea68c207f1781ccf4881b23185ae7726c1fe2ff0f0009d00190af467c9afa311ca7314e1fa81f1a13af40b6125f52c26e4f52009c07091d52935a30ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
109ddb7c94a333a4373647b3fc7d7e89

SHA1
e4b085e73ff0534315aa20e16e52dc0c2239a16c

SHA256
5e8fd6dbaa29fc8cf447e51a4476b2384bd92c9c7d4aee3e95aa7c72347d34a3

SHA512
033070fc7e6875cb29aaede6c3136d41f8644cd16676a6b3bc10a21747b8f0f00bf69f89aad0d97c482c3d2b7d2484040279c4ea05b37d4f78c2b6afaffb8a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7AB4.tmp

Filesize
90KB

MD5
6a9c36332255fca66c688c75aa68e1de

SHA1
2a03e2a5e6a8d9e2b0cfb4e2cc1923d9c08578c1

SHA256
7b7ebada5da99a20c44eaf77e6d673985da42d9b7cb4f5e4235b7579581ae170

SHA512
a638c48026f2a0b565b34d7d0dfacfec4f582e698f88234521a6fcff1ed90c134f39aa3311cca2a67e401de01f81cac01d9f792f189127e0f87a345076827627

Download Submit
C:\Users\Admin\Downloads\HTTPDebuggerPro.msi:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 574426.crdownload

Filesize
10.4MB

MD5
da7e08ef168ee4662ff1878202303a36

SHA1
df3bc617162a0f5f5e854403f5dc1e00e093e498

SHA256
ed9e8f5fda10a14fbce76252b111a031bc4f3351e9eb342ea4edf6b6d16add69

SHA512
bd248c68077a6aa1d6120cd3401770b09762cd75010a30b40cdd46196c726bce2fffa9036a2e3f47bbdbe4b935b9252c7ea38f4947d5ef187831d274a13b8974

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
a13eb9cbf0223df2755c88901a05f61f

SHA1
04618bd4fe90e26022187dba53015ef414ffa841

SHA256
957224ad47521c5f4f56ac636e96968d8d40632227e26458c07d49282c9b7bce

SHA512
e4ae283ace894f4bbcee76bed74c7b69b5d49d5574469c81b619a995f8d5d8d521b812f31bdea7de75ba1771e72c3f35b14c63c9c2bfb66902cd365ce643c86d

Download Submit
\??\Volume{0e100a70-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6a97b9a5-b588-4c57-9ffc-7d92854aa22a}_OnDiskSnapshotProp

Filesize
6KB

MD5
05158f71a8aee53ca29c3ebcc583f054

SHA1
78813d1673ab9614bcbc4874a7e4a2ca9182ac6f

SHA256
568ad54d14100afd984649ec8bfeff56a66d2bd1a969010cd794f8710fd55327

SHA512
1514ef862b1e0d9836ef8ee725233e04c59f72cd0826adbcd4549fd4647ba96e1bd0a1a88208ed4cd377001c9258c3b64bacfba52d49d8b1c353d3e72e76c028

Download Submit