dcrat | 0ef3b7e7f6dc377f3f8dedb00b6263a194af8d316c391d18d3393611a9bcef9e

Resubmissions

11-11-2024 09:35

241111-lkh6qaxdmp 1

11-11-2024 09:18

241111-k9wyfawnfs 10

Analysis

max time kernel
383s
max time network
397s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sapphire_vegas_pro_159753.rar
Size

381.0MB
MD5

4bca4a8701135905f8e74291c7a01048
SHA1

fa428d2827cc17d488ea94f65b1bb314d1b2cc0e
SHA256

0ef3b7e7f6dc377f3f8dedb00b6263a194af8d316c391d18d3393611a9bcef9e
SHA512

04918900ca146afb02047d9354c77ace50a50452ca66bfa5d4a50afced4e9305e38c0d3b884677d30a1c60825c8a9dca158465b7c277f9dc9021df5c055756a4
SSDEEP

6291456:0wRUo9Bh8WwCdJFdxjQnOGiSGZLNcVasKTIJRplqsUHOd46g8eIp85uDtJEe+/lp:X9BbwC3FonDANcVasKKRplbUH86TW8MW

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

MssessioncrtNetsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Users\\All Users\\dwm.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Users\\All Users\\dwm.exe\", \"C:\\Users\\Admin\\3D Objects\\csrss.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\TextInputHost.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Users\\All Users\\SearchApp.exe\""	MssessioncrtNetsvc.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5976	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5828	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5892	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5476	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5448	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5520	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6132	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5860	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5856	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5828	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5892	4152	schtasks.exe

DCRat payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MssessioncrtNetsvc.exe	family_dcrat_v2
behavioral1/memory/1252-2193-0x00000000008C0000-0x00000000009BC000-memory.dmp	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3168	powershell.exe
1596	powershell.exe
3516	powershell.exe
5252	powershell.exe
4972	powershell.exe
388	powershell.exe
5976	powershell.exe
5388	powershell.exe
3452	powershell.exe
1472	powershell.exe
2400	powershell.exe
740	powershell.exe
2852	powershell.exe
5356	powershell.exe
5220	powershell.exe
5164	powershell.exe
1104	powershell.exe
6112	powershell.exe
3192	powershell.exe
1280	powershell.exe
4888	powershell.exe
4420	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeMssessioncrtNetsvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	MssessioncrtNetsvc.exe

Executes dropped EXE 5 IoCs

Processes:

Setup.exeMssessioncrtNetsvc.exeBoris FX Sapphire Plug-ins 2020.01.exeBoris FX Sapphire Plug-ins 2020.01.tmpSearchApp.exe

pid	process
2436	Setup.exe
1252	MssessioncrtNetsvc.exe
3132	Boris FX Sapphire Plug-ins 2020.01.exe
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2612	SearchApp.exe

Loads dropped DLL 2 IoCs

Processes:

Boris FX Sapphire Plug-ins 2020.01.tmp

pid process

2988 Boris FX Sapphire Plug-ins 2020.01.tmp
2988 Boris FX Sapphire Plug-ins 2020.01.tmp
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MssessioncrtNetsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\3D Objects\\csrss.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Portable Devices\\TextInputHost.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Portable Devices\\TextInputHost.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\SearchApp.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\dwm.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\dwm.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\SearchApp.exe\""	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\3D Objects\\csrss.exe\""	MssessioncrtNetsvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

135 pastebin.com
136 pastebin.com

flow	ioc
135	pastebin.com
136	pastebin.com

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\-63gkj.exe	csc.exe
File created	\??\c:\Windows\System32\CSCC52DFE385BA042ED9353F407F47FD91.TMP	csc.exe

Drops file in Program Files directory 64 IoCs

Processes:

Boris FX Sapphire Plug-ins 2020.01.tmp

description	ioc	process
File created	C:\Program Files\GenArts\SapphireAE\pylib\is-G2NS7.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\lensflares\is-I0G09.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\lib64\GenArts.Sapphire.OpenColorIO.em64t\is-4QD9K.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\plugins64\Sapphire Plug-ins\Sapphire Blur+Sharpen\is-Q0T20.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\plugins64\Sapphire Plug-ins\Sapphire Stylize\is-OR484.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-H2MUJ.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\glares\is-1TE8H.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\pylib\is-CIHEP.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\change-usage-collection\is-T186F.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\plugins64\Sapphire Plug-ins\Sapphire Lighting\is-B2JNH.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\pylib\is-LNVKO.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\Adobe\Common\Plug-ins\7.0\MediaCore\Sapphire Plug-ins\Sapphire Blur+Sharpen\is-KVVUM.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-P972F.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-1LBKV.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-DO0R6.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\lensflares\is-JV3FU.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\film-stains\is-850A7.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-45ETB.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\lensflares\is-GMOMC.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\pylib\is-TGGTE.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\film-stains\is-6J3CB.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\glares\is-LFA9F.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\lensflares\is-L7RAB.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\plugins64\Sapphire Plug-ins\Sapphire Composite\is-HSF1D.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\scratches\is-EG20E.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-0PS65.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\hairline-cracks\is-8MKS3.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\paint-spray\is-GD94I.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\Adobe\Common\Plug-ins\7.0\MediaCore\Sapphire Plug-ins\Sapphire Adjust\is-QRBJ9.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\plugins64\Sapphire Plug-ins\Sapphire Stylize\is-QP9BO.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\Adobe\Common\Plug-ins\7.0\MediaCore\Sapphire Plug-ins\Sapphire Stylize\is-DNQOG.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\pavement-cracks\is-S1CAP.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\Adobe\Common\Plug-ins\7.0\MediaCore\Sapphire Plug-ins\Sapphire Blur+Sharpen\is-4LDE5.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\Adobe\Common\Plug-ins\7.0\MediaCore\Sapphire Plug-ins\Sapphire Render\is-SINOK.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File opened for modification	C:\Program Files\GenArts\SapphireAE\pylib\Qt5Widgets.dll	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\pylib\is-QEN9Q.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\film-stains\is-38RB7.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\hairs\is-580TS.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\glares\is-OEUH6.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\lensflares\is-PVS9R.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\plugins64\Sapphire Plug-ins\Sapphire Distort\is-QO2VE.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-OC6M6.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\lensflares\is-0SDG8.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\plugins64\Sapphire Plug-ins\Sapphire Stylize\is-7O2EV.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\luna\is-U725P.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-RO522.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-OM4CO.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\hairs\is-8EHL7.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\lensflares\is-5MAHT.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\lensflares\is-74APU.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\plugins64\Sapphire Plug-ins\Sapphire Blur+Sharpen\is-LNEQO.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\dust\is-VGM9P.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-H3TTS.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\pavement-cracks\is-RV36O.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-JEGOI.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\pylib\is-9RC66.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\pylib\is-OJ4MK.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\pylib\is-7A2MR.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File opened for modification	C:\Program Files\GenArts\SapphireAE\pylib\api-ms-win-crt-math-l1-1-0.dll	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\docs\is-6GBUF.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\plugins64\Sapphire Plug-ins\Sapphire Time\is-3P4DO.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\plugins64\Sapphire Plug-ins\Sapphire Transitions\is-MA919.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\hairs\is-0U6EH.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp
File created	C:\Program Files\GenArts\SapphireAE\stamps\hairs\is-T6739.tmp	Boris FX Sapphire Plug-ins 2020.01.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Boris FX Sapphire Plug-ins 2020.01.tmpSetup.exeBoris FX Sapphire Plug-ins 2020.01.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boris FX Sapphire Plug-ins 2020.01.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boris FX Sapphire Plug-ins 2020.01.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

5348 PING.EXE

pid	process
5348	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757908593515195"	chrome.exe

Modifies registry class 12 IoCs

Processes:

Boris FX Sapphire Plug-ins 2020.01.tmpexplorer.exeMssessioncrtNetsvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gpz	Boris FX Sapphire Plug-ins 2020.01.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GenArtsGPZ\DefaultIcon\ = "C:\\Program Files\\GenArts\\SapphireAE\\preset-browser\\preset-browser.exe,0"	Boris FX Sapphire Plug-ins 2020.01.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GenArtsGPZ\shell\open\command	Boris FX Sapphire Plug-ins 2020.01.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GenArtsGPZ\shell	Boris FX Sapphire Plug-ins 2020.01.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GenArtsGPZ\shell\open	Boris FX Sapphire Plug-ins 2020.01.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GenArtsGPZ\shell\open\command\ = "\"C:\\Program Files\\GenArts\\SapphireAE\\preset-browser\\preset-browser.exe\" \"%1\""	Boris FX Sapphire Plug-ins 2020.01.tmp
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	MssessioncrtNetsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gpz\ = "GenArtsGPZ"	Boris FX Sapphire Plug-ins 2020.01.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GenArtsGPZ	Boris FX Sapphire Plug-ins 2020.01.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GenArtsGPZ\ = "GenArts Preset Pack"	Boris FX Sapphire Plug-ins 2020.01.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GenArtsGPZ\DefaultIcon	Boris FX Sapphire Plug-ins 2020.01.tmp

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

20004 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5348 PING.EXE

pid	process
20004	NOTEPAD.EXE

pid	process
5348	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5448	schtasks.exe
5488	schtasks.exe
5900	schtasks.exe
5520	schtasks.exe
5856	schtasks.exe
5828	schtasks.exe
5976	schtasks.exe
5892	schtasks.exe
5860	schtasks.exe
5892	schtasks.exe
6120	schtasks.exe
5828	schtasks.exe
5476	schtasks.exe
4984	schtasks.exe
6132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeMssessioncrtNetsvc.exe

pid	process
1956	chrome.exe
1956	chrome.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe
1252	MssessioncrtNetsvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exeSearchApp.exe

pid process

3204 7zFM.exe
2612 SearchApp.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

1956 chrome.exe
1956 chrome.exe
1956 chrome.exe
1956 chrome.exe
1956 chrome.exe
1956 chrome.exe
1956 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exechrome.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	3204	7zFM.exe
Token: 35	3204	7zFM.exe
Token: SeSecurityPrivilege	3204	7zFM.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeManageVolumePrivilege	3552	svchost.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exechrome.exeBoris FX Sapphire Plug-ins 2020.01.tmp

pid	process
3204	7zFM.exe
3204	7zFM.exe
3204	7zFM.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp
2988	Boris FX Sapphire Plug-ins 2020.01.tmp

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

chrome.exe

pid	process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1956 wrote to memory of 1496	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1496	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 716	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3408	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3408	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 3040	1956	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\sapphire_vegas_pro_159753.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdd373cc40,0x7ffdd373cc4c,0x7ffdd373cc58
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3744,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4932,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5324,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5328,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5388,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5424 /prefetch:2
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5448,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3448,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5416,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3208,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5280,i,15331286008191852368,17198735757914545646,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:18476

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Users\Admin\Desktop\sapphire_vegas_pro_159753\sapphire_vegas_pro_159753\Setup.exe
"C:\Users\Admin\Desktop\sapphire_vegas_pro_159753\sapphire_vegas_pro_159753\Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\MssessioncrtNetsvc.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MssessioncrtNetsvc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4972
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vvb4wf1q\vvb4wf1q.cmdline"
    3⤵
    - Drops file in System32 directory
    PID:5912
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4910.tmp" "c:\Windows\System32\CSCC52DFE385BA042ED9353F407F47FD91.TMP"
      4⤵
      PID:5960
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ypwPuaAS2B.bat"
    3⤵
    PID:5816
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1156
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5348
  - - C:\Users\All Users\SearchApp.exe
      "C:\Users\All Users\SearchApp.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5356
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Boris FX Sapphire Plug-ins 2020.01.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Boris FX Sapphire Plug-ins 2020.01.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3132
- - C:\Users\Admin\AppData\Local\Temp\is-7ISI2.tmp\Boris FX Sapphire Plug-ins 2020.01.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7ISI2.tmp\Boris FX Sapphire Plug-ins 2020.01.tmp" /SL5="$F006E,400692407,57344,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Boris FX Sapphire Plug-ins 2020.01.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\3D Objects\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\3D Objects\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5892

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}
1⤵
PID:18824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:18852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
1⤵
- Opens file in notepad (likely ransom note)
PID:20004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\GenArts\SapphireAE\flare-editor\Include\is-RNCI4.tmp

Filesize
21KB

MD5
b974f1d3041e4473ad348baae50fad96

SHA1
b43bc307ca85f588eac4bbbda1d2369c710d0c0f

SHA256
c8d916d1fd3b9049444852b78e1f4e1c7a8b9013eed6497182ee19650bc664df

SHA512
df8d39099cbfdeff80b045827dcde4bbe4a54257f4e4e71b9284a3ae6787e0710e9789d667e7d0e1abe62290e177ad40f189ae430e721c80c1bc3e5c25425206

Download Submit
C:\Program Files\GenArts\SapphireAE\flare-editor\is-EDQ51.tmp

Filesize
317B

MD5
02545f50b01323218d4470f691bbaa10

SHA1
2f23235c84313fe77474c60e7b6804158b0aaf1f

SHA256
9caacf550987848417f191871008d9ae317b76495cbfb77cd026394557af90d0

SHA512
7c34f9177dca4a8e64fc1d20b0110bef0cd749b830a6d52040f425938490567077aa1ff2341014076ba0d0ae9ed4a086e9989c59e8662861491ec94188752e20

Download Submit
C:\Program Files\GenArts\SapphireAE\flare-editor\is-G9P5F.tmp

Filesize
761B

MD5
1e68eedd424ab482304c83925c6b372d

SHA1
ae4f8de960c75f281a03612ea3ee7a3c8919d71e

SHA256
dcfb6c3afc694b922d971b74d030e64f733376a0a2e4949576ae4f5689b31a4b

SHA512
6b4f8b4bd22afb6ceea2a19d3b1fad75ae1f9be76df01173e5bd6e09b845a9a7d0130268e3ddbb45e95afd232854fa17fc7617af480b95b6912c395bfa0ee799

Download Submit
C:\Program Files\GenArts\SapphireAE\flare-editor\is-ODNT7.tmp

Filesize
18KB

MD5
297278b749035bf2a20fdca76583021b

SHA1
332c259ee6277a63b44fcc6884d8402df16a835f

SHA256
8d1072fb301ddf7a087c6a508a9c4d36323d161221d640051d99b08184286f14

SHA512
5104b41fa06494812ceee1ead2903ff30b2d8968f2707b2c7bf4e785f428a5cfef1fafcdf53eafee75c4f547cb63491ca266579fd89653317df594150ea648e5

Download Submit
C:\Program Files\GenArts\SapphireAE\pylib\is-BE7AS.tmp

Filesize
378B

MD5
a55ab44e1a5c551941d471fc34169327

SHA1
146bc86a300403fa123d17bd0790a6af731f2805

SHA256
7ddf5efb1bc2c0b1a73ce27c0cbf7b89a293d811ee3ec2c65c93571a9c8e4b57

SHA512
db0e682b6bb3738d5dc0bc9c9da0d96e2a724249838d81e8c401b010de470a202a1fe8daa132f4d33f20be87cfae5acc5f6cd88d2372701f06923dc35b3980bd

Download Submit
C:\Program Files\GenArts\SapphireAE\pylib\is-RSA6V.tmp

Filesize
58KB

MD5
23cceec35684b71f509f516d78237f6d

SHA1
115346144e9c20e163c3d773f1f55695d4b604d7

SHA256
71a80a296a6512ce75ac8ae9700a6e39d5a127885c9ecd48bfe842373836cf2d

SHA512
8945eae7540f0cec1d34cad110db250171de1cda24eb886ae92438fd691776f1ea77801e45633d3b8f1c475351a545708bcbafcff184d33796a6644252b055e8

Download Submit
C:\Program Files\GenArts\SapphireAE\pylib\is-VMRQ3.tmp

Filesize
147KB

MD5
5c8a7e4d173c34d7a43158c1204cb1e6

SHA1
1ca74bb3d4dfa1a68433cb69b164667fc78e32e9

SHA256
70dc54d2f44a9c53c3a71e2326f2acc5ea0f4ad08f65bc2670d4f6694e7ed300

SHA512
f81e62da05bf207c1920cd54c802b403929be73b3db550f2c030c6f5590d5091ad5e79e820dd0c652daaa8bda2be25e23db76b95a9458b078e1bbed3d0ab861c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1adf74e3-c889-4762-ae3e-379b44a0ab0d.tmp

Filesize
10KB

MD5
6c5327afd87dc63070f23501b8bc277f

SHA1
2c5930463e724d2dc01ba7fd5a487c21669dc60c

SHA256
daac335d75cd91e1d25a38ae9af9d3f13e68bbdbe50851ef07c441391c4a8ee7

SHA512
9cf5c9c91d2dffa7b2f088df06bcb32862a294a8ede49c9aa4368dd9abd9f91784216f9ff542dfb3128095c0ee9ee4c1acfa47cca655b485a67005190bbdfe86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d20b7289f97a95f1532e427c7b9f2e5d

SHA1
56d0a2a1a845379552ec3e670b5bb4dd245e2d70

SHA256
0bfa9f4510c770895d9603b1ddb1de8fa778acc4902057000d965fab42f0d73b

SHA512
189e8265fdd7e1b30aca2541a0c6530e43092fcd172a84718606c7bfe03da47af87f8c231a3713b8fe9115242a1ecf064aef8864b52b59f4b2382dd37a5ae094

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
ca9fe4bd0efec9a7b1e54ff969858441

SHA1
a8a9e270207f55bd7825b276c123051c4f6e5383

SHA256
2c84e13276dae2d98b7ac71785ac3a83b9f0f98d414eefc4c34b0ccc50b96a57

SHA512
3032fc246bec88201d9bb5059ca35d65a6cb76114177b412bed2a2d73141f7e48ed21fb8bacd831d9f07503a3db3d368a3e91c377945ac57653288f4cc01717b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0ebe9a9d9922e8205065c8fed2376b1c

SHA1
82177b0cee47d8e92c0bbbb059f3abe106dd7e34

SHA256
69c8de6845353c5e936fc79f8fc46ffe5bb22146324335aa5b43cc1934555c7b

SHA512
6191a286d79e2584586836d0cf56910c0fe0a8ad6fe10c31e860cbf0e908d5120fb2fdf68cbd2e121077a52d0d825a15cf6ef02a20044f4e0fc9dfe9c2018063

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
5aafdb5ba09021acc62392a9e9713842

SHA1
c15368559ae765e3911198504cb153bd13f38742

SHA256
33962a1e2fb6398de19c8b870addd95819cf300fd5b82fb784e5b22697f1a254

SHA512
7b0301b3a485de490db6a85669ef06b4b535820d8b3f3f85fd9bd9ea579b9a77847b0926d4b9bf81f5ee12872edfa692b10671b74fda4d657b58dc04458ed94f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
2c99877e8cb974d802185a4068ae6429

SHA1
dcb55c329c346155192ac12cfbfcf4a53b93bddc

SHA256
63595d913a912fafe4aae529cecdfb16cc972979b2b8c0897bc18f0f01743f74

SHA512
b644db6cd9f755975d273e6a8bcf03d9d52f60d1122bcef3ec36961958f6d3c903c43a8f782bf1c05186cde25dabae4e3ccb6d4bfde135f5d53b9a225e582f7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9690b6a7908364de3e161dc70da94b70

SHA1
c7e1726ca75aa57de9ebe231a2b88937967e83ca

SHA256
65cd59d5e2675c3ef1082ef09b15166ffa6b40fee61d3e61e3d97b4defe9ed57

SHA512
c75fee0d941d211dd79129d46a7556e2a4b2cd876c1cd7da0275cc04c4cf7912f24be6c1f44d8b81b8b63e875bf7621ce068e3551a11be3fc7318d870f037aba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
059acfff68f5d0cdad3cd14d89bd7ec1

SHA1
f8c54c2cde3efb630bac155f13219bf8fed7643d

SHA256
d6091605fcff1c4bc5bba9ed5e4e485373def40c193571ad004e82c1b0c80da6

SHA512
d0e465b042e6069c224731de374a81cbe8ca22ad8cb414a15fb13492cca37c1d5917f27da7dbe40db4a36c5d39d615fa5a36d9b8f3035963a08acfe7191e59ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8cc57bbe4f2e2458dd4c0d17513b6fcd

SHA1
63104e674eca91400ab58b4c5ce94210b70dc469

SHA256
7b163d57ef892b42c1435e9eb43ad9878035d0e602102e22504903763887cadb

SHA512
ad68f1369f58e65add6f9d940c2551b2fb436241f9edf91d31c847c6411fae040f3f9a33a2c7a6bbb8fb5b50f26856be5b044dd89175ff27a95e8afffe446c5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d7074749d4363e9add38a11d7657de19

SHA1
e031c95d37d96bbcf3de885321476c41135312c6

SHA256
80b2c45aee373f28ff3f6ad52ffda2a71ddd6f44245c017e903e8def894024ee

SHA512
e198f06e7568af22c571a64060177a861607a7c2b107c7077ba161861fbf64564aab582c366a581350d5521b4736b26d110fbfc2035f29e448362d70941ad836

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5c1b88c09fe7cc488e37a3f3111f9bd7

SHA1
5caeb599c7bed7ff548280191d363644458afd7f

SHA256
bc5bdc4cf94995cb5c01293b888342269bc1540c3b5312c88af53a2a28781935

SHA512
3112e8c15b68b098a731dc6208c64a62b90bff18fc390194f5c2ee7238324b905d84620eaa9e6a78cb5de31c4955f7ac740e9f91d9f993ec40b62ab796d4859e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2a06c8c111027f33557a21c92f1dd0a0

SHA1
3331841983a9d583b84eeca192896d1059007792

SHA256
0ea7db185c39f89706963a03d012159806bd9daaac69997d2deb9df20f12b358

SHA512
fead2c188b09b8775aae774ad20f6008370dcfa947b638e4d038a51037f6cf6f664c852daddee245610642b0bbeb0b956c2456fec0d71979693bf9740a9207ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c75afbb4ec2eb631226b3270cc1591bb

SHA1
5849522925305e7af607fd8c59c7ceaf46afd323

SHA256
0518ab4384b27c330dbb2c29e8ec58a99ea9fb7fe4b490a058b4c40c3097f4cb

SHA512
6a37a13d3b0935f2eadc4bc9537034022e1d2eb36a24df0c388daead50a61836d7d2cd31682b58368d204166370ee6fcab80012f8e033275309ee9a8729c9e12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
db747ea6abcee9e3230ed068a6ede193

SHA1
4849693bf828c0a974dc5932ef04e5d90f7ce908

SHA256
4e634a65fad61a57da9ef268608744b556fe6435d4f064545edd22bd2293a3da

SHA512
cd03cac6ed6e7d074b55ff12aa95b7fcd24d67dc3f20c5e4240d968db1fbe23e7f663d7a47abc2731d3ddd78d02c2b24eb272391d766ffe301d0802625390a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e2bac6807df52268dd55e809d6484c55

SHA1
44d0b33634d34c107e7b23e6468cd38b418bddcd

SHA256
3d814fb072463d80feb7280ba2c8ad2725d8578c1aaccd4645a828c8a6d4baa8

SHA512
9fa2299bdee974b4d679ffdc53565c08960e2b4bff38fb5f5d31dbe629b20d3153d15a0020084840af6c1e71d47c70dc1114e0a62ce52198fc30b17f50ca1144

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b57e715a77372c62fd2c6dc879028ec2

SHA1
9679053278d97f0f5e62d7ea66e08148d572ab04

SHA256
35bfbc1ec8acc53e6b8efd1e305600299eb6ff085bf007c81c8d2f7a3ee8254a

SHA512
350ff851339d1b1ebe1aa41ae4ec009de08432c3832a96e12c83a868bce702a866ea8b5847dfffd89b526f65a3d8ff5e0259f4e0beed9b6207a7c4f6f812f736

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
acb9e27faee97644e26b26c013ccc8af

SHA1
3e6ebc42a28a9dd34c7abe0bc4f8053522e55ea8

SHA256
5e57c942833e411a88542daab218b9e9334ee447a1c03f75826e67bee17a9700

SHA512
48d35d68aabdf5d8c80dd467eb99a6680e4ee2554781e97edd35924241fb50d26ccdc0d6fb289764d969d240efa544143b6f6c7ba0229c0d49dda2b25f683b93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
da62db21d67054d0d190f34c85441638

SHA1
ee30425a42969f7e905b440d2a4f9855106b438b

SHA256
4d70641fc9092aa62f1992b13b27ce868f166efe70a02c53b4fbfebae340fd24

SHA512
7058ae8c1b9965113b3a51cfca63cfe35346aff0cfb49f51bbcea540a2a80ab8fe3e116fb68dcf9b98e588946799509c950d9cfdbb7e422e12af27f5a6e6d38a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
47005787fa5ff1b3b33c27d5a7dd432c

SHA1
3832551f564d9a9548ada4e1572d8605dce6c767

SHA256
b86a557ebf52e2b3d78ae925109fd64c9d80432a51c0c745f29e2561df8e6033

SHA512
582fd7225e83c80ade390aac8c92ce73449ddd783b387ffb31be6129f2a4760f98fff1b6d2cbbf8092f047c297869f1a6ca69390fb20e6ed8f61c60bc7e647b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6f389edf72e15c3c46acf57c224a824b

SHA1
e25ef7939fc8ea170d5630b70a9a3e20d26b40c7

SHA256
e2b26ab4730da8b516e1b856796417e70441c565c9af372dd645f1c72c40bf59

SHA512
62f48f1d733390081a189692f26087130aa8c0b684a8d9461c4828762cc9f7792809b5363ceea0f1dda0f555fd063f734bdb5db02fbf4b3800ba7199dd9ca4f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4e06c9deeeb09ab64a91dd4a0515c7a8

SHA1
34823ba13400847219ba290047c0491bc6c65b95

SHA256
2d20ae9763f832d78512d976bcbff128ec7fe0f4e587fcdee959b71de83ff418

SHA512
57b4a39f4581ad2e9edc00c30d88edf5510f3ff43a588773259ce3b256d043a7aaf511cf738e9754df5ceff6b751ae1e0f99bb849ccf9aae6cb3097a28298ae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8d634a250c4f39e6fc0549e13864bbd7

SHA1
fcddd5fa28b08bfad5b880ec50fe02cedc2f6cab

SHA256
a151385ac543aee14fd45b16181f0055d58c0695027e540572284beee35c7c41

SHA512
57dc77b3dcec20663e89add8517bc586171bdaa3be4ef61e013abfc8f8b5dedbacd81dd877cff03c011ef342d3a9df51c72ae49a9c81c17928527db622798c65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b68aecd19ea1e2b066da44e5f60375a8

SHA1
afbdfc34d0137d6a9f962fe7b3095819f918a725

SHA256
24081513f947c6c7cffb598530a165256de45807008ae59b90e2ff139cbffb94

SHA512
7a58b3c05195eb3da7fe6425f77b69be5b212e8d004e35bce2459fac275fea8329289cbaa03550bb4ae7ec22c2e1923fc67568177bbbec5811c816f5dfc4f487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4f1a262f391e5cbed12983865c9acae6

SHA1
59305b8339ed61eddc237fb8df6102778c13bbfd

SHA256
bb51afa8f376942def9310c1670c9589361898e2d51f1d745f9aadf8a921ef26

SHA512
d79040ce7790a60f5d69e6b622761ba5d98e6c480da32b2bac301cd7e92c039d07974b0620578ee5c0e1b7299ddc6873c8c1ee06e6e37946ae0fb4f5df6912a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
df508bd4b46ca9f2b2ba8882bbd53de0

SHA1
eec4458df17e78c1b614e1a3c633c50e9b7322ba

SHA256
27c625621a8e44644441266b9eb29973058f4b1472c3a8d4b2e13196410c9b2f

SHA512
304157bddd412136ff0e70140111cc6886398a86b9943bd00d0fb27c259e75ee13887441c6be2b2a8f5bc107461db54ad2870082e2349c608c472e8fa740ff59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
21febf0e22325a86fc5f72ea5ca087cb

SHA1
28c069098efdb6419a6ba77a6070d899e49d0a63

SHA256
0db315285907f116051114f730cf30f3fd4391c9faeebe5f254b3378c7f6724a

SHA512
8eb9099c1e3a76a070c23523644dca1ea88277c1951205395755bef7e2bd46e0ef8b0b5f9ef82563679bd06f4e2a387f42316fce7da35d9c6216f98038501d72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
63a5da15d1a1426004a39e59f1f510ee

SHA1
9b370290b1c653ba3dd0434a0478f6fc61997396

SHA256
887f521d2251224f96664f97d01dfec87cfdd6a39d8e0160661398094cd231b5

SHA512
657b016b9b3f3371ab597f1dacca9e6f85f6b418c027961ab52dd0d698b680d5aead660390a3c8bd9241b6a01ff471420e31c96b27571d78ac9368540675610a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
114KB

MD5
099288b6cb21be499c0e79484e1a2c99

SHA1
70129173a7e38d64bbf26480d945b402de191963

SHA256
9e2cb0afbdfd306778bd204f8831702300b2b88a328c27294d36ccf18dc97143

SHA512
5a35b2c5400bdfd2afcb432ee13c99e5677300b2055164ed6278c785e6a03ba920a2c6ea3cb482be3e1b36596d84e69350fd428a402892cbaa857c1dd86de1dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
6efdba8d4fcd689f6b191eb745a7d971

SHA1
017eafe6a8956c2dd732217edf026840000b5fe1

SHA256
c001e3a67d523e3be6cf3424f72d3cbade57a9ddbc6b2a0dc7b2efae5d3fb6dc

SHA512
e7526a146213ed4ef3b5f47aa8c0c4857cac78f31cce8a13f4ab5ff777ae1128f0b1a1ea1b28b75e66f91c2e5733f7091cfe6a61c6e35b51edd306c40f25aa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bf1cbedd91790c2be65fc829402dc0f1

SHA1
9f0e53c9cdd5ff915dde34c26119f027822ab08b

SHA256
7a48200a25d98070baaf5ffba058b4c32667910896d01f2ff95b490f09d961e6

SHA512
050dc81be09cb08e6944889809c1c6e4dda87ce6a47b78e8162a95efd5163b7e741b1ecec7662e77deeb36f6a47f20414766ce668f15074260d6f703c02e3d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
965eb91891cf354fd550483f12b1281a

SHA1
141be6c3d5444acb6e181c143846be579cdcea9e

SHA256
207ab8d614653b388db74a553830e5650a6c906c11217b5d9073a53fd93d7b96

SHA512
6acd7cac6d0cfeed9a6a4bde22c4456f31d699983bedab3d9d8f08665c4a3f85328a3d1472e4288780a40c3d1b79a3821fa63d22af506fd039d13d38c3d31c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
29bea33ff17a4571d3fabb98854bda0a

SHA1
ae53e2a06f1ed61b5cc2ea78910270f21e9089ed

SHA256
72bc1e8f2a35b451e8b786e97a551e0826b7aa505a1520cff31f60c5377215b8

SHA512
fa244f1d02a27c14d19e08fb69eb6435fdef7b381d1fda351e5dd6d7ca8c8e23b947aeac8bd5b92a21cb36592ca239a86de2e22eadf6800fa4142ed1c17fc4d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2c30103cc6b103339cfe44137ca0edf0

SHA1
ecdc8c1685831e906cbb8ca6065ab4bb06fe3db4

SHA256
85ea59925c660ced52ba5095323e580d61aa8f8de82f31cdde85a5ed7e75cfae

SHA512
a870be1cb86f955187170d99c7e6200f6871bc7858885d3b2f431bfa6f9af1d3d86a00add6f6f5a0396ed25fc19c4181b985cf08921ad98bf4903568fe59a482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
995b3f155017b2155615b5e7cefd2450

SHA1
209fb1d1c01c91591b5cd8771160e99f1e1f6ef7

SHA256
d52a48041724b19b0d6eb70de298e9c75ce21a6fc7b0ce774fec9ebfd1ef6568

SHA512
3a4b574177ad0383df045452d42a87afadbf0a9984360d48b245d1473701e35f47afeca4e4483a63b6bea6a6926b4c133e7ceabb434b4093cc0dd4b18f4f9200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0db76826ef1eb39b10f50c9c98411802

SHA1
88a49701de5a338400b3f5b40deb2608b413ab84

SHA256
f09445a05f2cf45e3d1d8f826bbb4fa78f1fcbf04311a5f5e8e3b7c90e1069ee

SHA512
0247c74dde74f8f1062fd2b28fc57b3bb567e42db8e594f2712fec65e045bdaf4be8c76e9b5f98af48dacdf863091ffa446dfa9583afb4a70c73809cbfa5aaa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d3aae4c9057b15b8908595b3204552bf

SHA1
b36c54e10c57936caaaef6e6936a169f64ef5e0d

SHA256
c1aeb8fd1e3236fbdaa89a0d21b500346a6c472ed03254c6b117f48b9eb0af01

SHA512
26727279241b454dcd2204e385816f1029f4bad4e20eefe9dd122eb301469913313a54ff48143c91f209dd892cd80ce07682a720084460d2be84622dcfbea016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d2884e2-88b4-43f9-a083-f390288aaf8d.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4910.tmp

Filesize
1KB

MD5
a6ea0eb4322a945b208461df09f94abb

SHA1
3669aa1548f56949f1fa9a501ea652a273150b01

SHA256
eae3bb86355ff743b111b90262610835ac0ad884979982939ef02dfad372a5a0

SHA512
d246b9079f16b5cb60ced2386cc370a284883cac6c52b64726eebf0a50121de81f5536de18a701864ab27bfeac776dd5a273b41004bd06ac186646563b66ae0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MssessioncrtNetsvc.exe

Filesize
983KB

MD5
957c95ae86ddd86d8600cbb8621c1c78

SHA1
a5527d2abb4d6b276db5c6505df51f4504d4212e

SHA256
8543ca2bf39fa3c55da1a9281e1f0020890814319c217696ecd641c1cd90337f

SHA512
22d13ac99e0adca3244a29861fc4c54c5b3b14287655f441cf9fe72a52c93586a620ef244eb4682c257c7e40feb36526b347f4004665f8eb637d8bca41c69222

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_asayc3xg.0eb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7ISI2.tmp\Boris FX Sapphire Plug-ins 2020.01.tmp

Filesize
904KB

MD5
bda5302537ac7704df91314ced637307

SHA1
ac1e6b7aa65dc928c0eb8c0c1292f4808c2e2a15

SHA256
1fccc2b04917eb1cd667f80fc0641802cb770cc9ee82f3f7b571471bfc98fcfd

SHA512
57e34f3255ce87509e82f4d701e40a2ec014ba20618f8ccc83402fbeabd4b1b05b38e65889bc251b7aeb1b01c04c020dd65a54aa4661d7af68960e1dbb91093b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L1CLE.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1956_181712083\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypwPuaAS2B.bat

Filesize
160B

MD5
a60b2efe530bf8aa5298dadbef0d6956

SHA1
3db8164d155109d5a1a557070dbec23cb9869b33

SHA256
19f42eb822c3b7bbf4f9e8d3abfd7be2579dc1d652ff40371c7268d20833a302

SHA512
b5ea83ab4ae58095205fd36cc42ca5ef1c7d310bc88c1cfac44970cf632eff52fea73d98ef29db45166a4fd62f83a63ae69f7911dbf9d1d310eb7ee070aada7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vvb4wf1q\vvb4wf1q.0.cs

Filesize
391B

MD5
6633203e5e7caaa5aa868fec2930d1d6

SHA1
d210692046a334e4374d7d4d9ed49615f81bf284

SHA256
694378f12cef07cd6dc2b858bb1279baeed05d1ecdaf884f71e9953a4037de5e

SHA512
98ae798bc6e35404e73d2b4b3ae38d9bad6a73e5c485240afce02cd9f0ffcd30c1253ddd45503cfffba65570099ff995b49a367c7b5084ac567224ad94d52816

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vvb4wf1q\vvb4wf1q.cmdline

Filesize
235B

MD5
b2eb3ec6fa47c11fffba31a3d40a5003

SHA1
7b11100ad794f4e8dfa73b2c0ce0a83173a5ddec

SHA256
5bdb891ba87965ec9b9cb50737de71e6e83e2e2fffaf11d02322adcbac4a64a9

SHA512
5b6ff64dbf5c0b4639918ff77676ac08a7b41fb2d0d458de9aeb40cce240fda024d477470839f3da20ff395d64590103c08fa2789a131c5b11cd77c6d396d29d

Download Submit
\??\c:\Windows\System32\CSCC52DFE385BA042ED9353F407F47FD91.TMP

Filesize
1KB

MD5
82a7b8ef3bc275711e3b27c6df93c7ff

SHA1
bdac909f26475c94c74145576bcf22adb0f8203c

SHA256
582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124

SHA512
f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248

Download Submit
\??\pipe\crashpad_1956_VEKBBFODWAJLJZMQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1252-2197-0x0000000002B40000-0x0000000002B4E000-memory.dmp

Filesize
56KB

Download
memory/1252-2199-0x0000000002B50000-0x0000000002B5C000-memory.dmp

Filesize
48KB

Download
memory/1252-2207-0x000000001B5D0000-0x000000001B5EC000-memory.dmp

Filesize
112KB

Download
memory/1252-2205-0x000000001B5A0000-0x000000001B5AE000-memory.dmp

Filesize
56KB

Download
memory/1252-2214-0x000000001B5C0000-0x000000001B5CE000-memory.dmp

Filesize
56KB

Download
memory/1252-2210-0x000000001B600000-0x000000001B618000-memory.dmp

Filesize
96KB

Download
memory/1252-2212-0x000000001B5B0000-0x000000001B5BE000-memory.dmp

Filesize
56KB

Download
memory/1252-2203-0x000000001B590000-0x000000001B59C000-memory.dmp

Filesize
48KB

Download
memory/1252-2201-0x0000000002B60000-0x0000000002B6C000-memory.dmp

Filesize
48KB

Download
memory/1252-2208-0x000000001B650000-0x000000001B6A0000-memory.dmp

Filesize
320KB

Download
memory/1252-2193-0x00000000008C0000-0x00000000009BC000-memory.dmp

Filesize
1008KB

Download
memory/1252-2195-0x0000000001280000-0x000000000128C000-memory.dmp

Filesize
48KB

Download
memory/2988-4103-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2988-14412-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2988-7575-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2988-14417-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/3132-3724-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3132-2399-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3132-14418-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3552-2063-0x000002A50A980000-0x000002A50A981000-memory.dmp

Filesize
4KB

Download
memory/3552-2062-0x000002A50A980000-0x000002A50A981000-memory.dmp

Filesize
4KB

Download
memory/3552-2064-0x000002A50AA90000-0x000002A50AA91000-memory.dmp

Filesize
4KB

Download
memory/3552-2060-0x000002A50A970000-0x000002A50A971000-memory.dmp

Filesize
4KB

Download
memory/3552-2048-0x000002A50A770000-0x000002A50A771000-memory.dmp

Filesize
4KB

Download
memory/3552-2045-0x000002A50A830000-0x000002A50A831000-memory.dmp

Filesize
4KB

Download
memory/3552-2042-0x000002A50A840000-0x000002A50A841000-memory.dmp

Filesize
4KB

Download
memory/3552-2040-0x000002A50A830000-0x000002A50A831000-memory.dmp

Filesize
4KB

Download
memory/3552-2039-0x000002A50A840000-0x000002A50A841000-memory.dmp

Filesize
4KB

Download
memory/3552-2038-0x000002A50AC20000-0x000002A50AC21000-memory.dmp

Filesize
4KB

Download
memory/3552-2037-0x000002A50AC20000-0x000002A50AC21000-memory.dmp

Filesize
4KB

Download
memory/3552-2036-0x000002A50AC20000-0x000002A50AC21000-memory.dmp

Filesize
4KB

Download
memory/3552-2035-0x000002A50AC20000-0x000002A50AC21000-memory.dmp

Filesize
4KB

Download
memory/3552-2034-0x000002A50AC20000-0x000002A50AC21000-memory.dmp

Filesize
4KB

Download
memory/3552-2033-0x000002A50AC20000-0x000002A50AC21000-memory.dmp

Filesize
4KB

Download
memory/3552-2032-0x000002A50AC20000-0x000002A50AC21000-memory.dmp

Filesize
4KB

Download
memory/3552-2031-0x000002A50AC20000-0x000002A50AC21000-memory.dmp

Filesize
4KB

Download
memory/3552-2030-0x000002A50AC20000-0x000002A50AC21000-memory.dmp

Filesize
4KB

Download
memory/3552-2029-0x000002A50AC20000-0x000002A50AC21000-memory.dmp

Filesize
4KB

Download
memory/3552-2028-0x000002A50ABF0000-0x000002A50ABF1000-memory.dmp

Filesize
4KB

Download
memory/3552-1996-0x000002A502540000-0x000002A502550000-memory.dmp

Filesize
64KB

Download
memory/3552-2012-0x000002A502640000-0x000002A502650000-memory.dmp

Filesize
64KB

Download
memory/4972-2233-0x0000016671EB0000-0x0000016671ED2000-memory.dmp

Filesize
136KB

Download