eternity | 85fa5e4e714db6eae4bc567d097124f5a5a66095560bd30fde184087d6c3dc34

Analysis

max time kernel
486s
max time network
485s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ErtCQRRS.html
Size

2KB
MD5

629b6da3f2e1a8a01ac884cadc18e2a1
SHA1

52b1432eec580b85247eeb596629856a0d0f67c6
SHA256

85fa5e4e714db6eae4bc567d097124f5a5a66095560bd30fde184087d6c3dc34
SHA512

e3a2fc47645144237508f11613b9ce1f840f13463552bc008b61da9c628db27a15d639e6d9dd9f4e535758add15f779d9e2d6b818bc1406a4d21e98e002c2bf4

Score

10^/10

eternity discovery evasion spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0008000000023d96-764.dat	disable_win_def
behavioral2/memory/840-778-0x0000000000C80000-0x0000000000D6A000-memory.dmp	disable_win_def

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0008000000023d96-764.dat	eternity_stealer
behavioral2/memory/840-778-0x0000000000C80000-0x0000000000D6A000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Eternity family
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 40 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ErinevV3.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 26 IoCs

pid	Process
840	ErinevV3.exe
4788	dcd.exe
2316	ErinevV3.exe
4584	dcd.exe
3560	ErinevV3.exe
5476	ErinevV3.exe
5132	ErinevV3.exe
468	dcd.exe
532	dcd.exe
5580	dcd.exe
1164	ErinevV3.exe
5244	dcd.exe
5012	ErinevV3.exe
5988	dcd.exe
5900	ErinevV3.exe
2664	dcd.exe
2476	ErinevV3.exe
3612	dcd.exe
3768	ErinevV3.exe
4408	dcd.exe
5712	ErinevV3.exe
1728	dcd.exe
3900	ErinevV3.exe
4708	dcd.exe
5624	ErinevV3.exe
672	dcd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 13 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ErinevV3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133775034051361958"	chrome.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 1e007180000000000000000000002f492640692fb846b9bf5654fc07e4230000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "3"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 0c0001008421de39050000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 746161.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5952	explorer.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
1056	chrome.exe
1056	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
5108	msedge.exe
5108	msedge.exe
4988	msedge.exe
4988	msedge.exe
1244	identity_helper.exe
1244	identity_helper.exe
5696	msedge.exe
5696	msedge.exe
5696	msedge.exe
5696	msedge.exe
1232	msedge.exe
1232	msedge.exe
5924	powershell.exe
5924	powershell.exe
5924	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
5404	powershell.exe
5404	powershell.exe
5404	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
3164	powershell.exe
3164	powershell.exe
3164	powershell.exe
6052	powershell.exe
6052	powershell.exe
6052	powershell.exe
5728	powershell.exe
5728	powershell.exe
5728	powershell.exe
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
5444	powershell.exe
5444	powershell.exe
5444	powershell.exe
5940	powershell.exe
5940	powershell.exe
5940	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1780	1056	chrome.exe	83
PID 1056 wrote to memory of 1780	1056	chrome.exe	83
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 3620	1056	chrome.exe	84
PID 1056 wrote to memory of 936	1056	chrome.exe	85
PID 1056 wrote to memory of 936	1056	chrome.exe	85
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86
PID 1056 wrote to memory of 1872	1056	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\ErtCQRRS.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf7a0cc40,0x7ffbf7a0cc4c,0x7ffbf7a0cc58
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,11754719741064184927,5652372862316504857,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,11754719741064184927,5652372862316504857,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,11754719741064184927,5652372862316504857,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,11754719741064184927,5652372862316504857,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,11754719741064184927,5652372862316504857,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,11754719741064184927,5652372862316504857,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=728,i,11754719741064184927,5652372862316504857,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4876,i,11754719741064184927,5652372862316504857,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:2984

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbe65f46f8,0x7ffbe65f4708,0x7ffbe65f4718
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1656 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6100 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,12814289863296866864,10324169607528606733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Users\Admin\Downloads\ErinevV3.exe
  "C:\Users\Admin\Downloads\ErinevV3.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5924
- C:\Users\Admin\Downloads\ErinevV3.exe
  "C:\Users\Admin\Downloads\ErinevV3.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2236
- C:\Users\Admin\Downloads\ErinevV3.exe
  "C:\Users\Admin\Downloads\ErinevV3.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5404
- C:\Users\Admin\Downloads\ErinevV3.exe
  "C:\Users\Admin\Downloads\ErinevV3.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  PID:5476
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1144
- C:\Users\Admin\Downloads\ErinevV3.exe
  "C:\Users\Admin\Downloads\ErinevV3.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1504

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x310
1⤵
PID:1412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5204

C:\Users\Admin\Downloads\ErinevV3.exe
"C:\Users\Admin\Downloads\ErinevV3.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
PID:1164
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4516

C:\Users\Admin\Downloads\ErinevV3.exe
"C:\Users\Admin\Downloads\ErinevV3.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
PID:5012
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:5988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164

C:\Users\Admin\Downloads\ErinevV3.exe
"C:\Users\Admin\Downloads\ErinevV3.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
PID:5900
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6052

C:\Users\Admin\Downloads\ErinevV3.exe
"C:\Users\Admin\Downloads\ErinevV3.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
PID:2476
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5728

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:3900

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:5952

C:\Users\Admin\Downloads\ErinevV3.exe
"C:\Users\Admin\Downloads\ErinevV3.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
PID:3768
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4784

C:\Users\Admin\Downloads\ErinevV3.exe
"C:\Users\Admin\Downloads\ErinevV3.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
PID:5712
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4028

C:\Users\Admin\Downloads\ErinevV3.exe
"C:\Users\Admin\Downloads\ErinevV3.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
PID:3900
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5444

C:\Users\Admin\Downloads\ErinevV3.exe
"C:\Users\Admin\Downloads\ErinevV3.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
PID:5624
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6be2fb544e8f38ae76dab781b87c294c

SHA1
b2a005f16c1bd6de91805c55f951c9b3089ba233

SHA256
5383c5825c6a5fe186911f66825e097975d1cacf2064f1935dd932c2601cb6a2

SHA512
cf0429b418053ba8a26dc60f2f6400a56fc89cd6069e4fa1f08aea40483199c6cc4c8864878a8c3204bbfa1ef593f1eee0322a17b9f623c275e5e0c5bf9c341a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
6cf0da2da8aecbaedbc1573ecc5d3cd4

SHA1
73e4edca53eacd6e85c6aa7f0435acdb28a6159f

SHA256
b2c199b4d1144dabd262fca919555ac6df9768f7cde0ec34b50c4817e34ab901

SHA512
f18de5436f7b863c1e1589c7297f93c9180986d552cb9f0b41169112c4a1895d43ee5721d806e8c5e12901a642ff226e8711cf94ce32bf477751c07f80c6425d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
238e9dd23cf08396153317632603a31e

SHA1
bab72325354f1574fa16135333b8003b4a48e54b

SHA256
a3cb14881af7b76d881693c303412920d2aaff9737fb9dfb73b3876f3eba8962

SHA512
04fc08040539e9fbe7fa6e8ead1b17ade1ec0c73534069ecc8d7d1822d0a2620476b432b0b6aa3277b2a876a48c7c16e856e7d1f301c46627c924bbefa4309b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
25f9251a35ca29d8c8e632b498a86093

SHA1
db19361cd53ca7b211cdf49a37643e3cc3e328e6

SHA256
bba0f7f568d58698e492bdbf63dcbaee99327e549504118bd02f831ecaa3a25c

SHA512
d3e1b6838b76d0df204b67f0d9eed4cbccb90edbc1b1aaee70d1bed8684cb45ffa396dbdc7780bd77a8625011bbe0047923b520139ccab8a188f03d2999ce863

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
af730a9dce423b23a2f3adf7a8c738c5

SHA1
797a8965cb280b56fd7d713bd400fdf7c19315bf

SHA256
25aef81180f2a271d22c1f0f321bb1a1731c61f6aafc7e2910f53a5a02098f15

SHA512
4340ecc13594487139e27788f62310b66161fdd9df91968780cb6d199bea6a72e6b6d0185af9f40a5e6c462ea7d72a7771b02d4e7a45b04b2ad3bbb9e5e46be5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
86b32ea204ae21d20104507229f13310

SHA1
23ab1d2a1bea04c6ad849d3da37234b96901f2af

SHA256
2e4eea0c0fda6ef8de477e3fc46d4d1cc32e4cc2bd7f0f4a78d3853cebc3ac8b

SHA512
94d678239057ba68ec24c1c41a4dffe877dc4202096e4957b73eacbf467e2701fe34f6bb0f6d15a608823220fabd5bc7f962ae6e58456c2859956a808a27521f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
84b3390f444b9d996f3b76a4e34b6170

SHA1
3cf36a91959f9d51ec56ed16d8c13816be0b2417

SHA256
6295c811ff66a26e0c24efe2796c90825e51de29bc4e3998dfe3b93b8f6b5b6c

SHA512
82a3b07fa0a34134128ffe7078585090e93ed9a358b15ce6adafae9c88455d78f7f45e9b16077b489cbab8ded644cd1d4b0276899da3cffaf821505cb597c0bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b13d58ff7a57438f98bec06aef5150a0

SHA1
e86a0c7e7c55980b91c7bcb13103413941cafc2d

SHA256
091da4e0bbf0136f6dc653e01b775ee6c4ebb71e500ac832099729d137c89a19

SHA512
a84a5f4765b91e9a8c64777961770b64f4c35aed8eb84e5e52858ab4a46ba2c43347c33313618f3ca129a245acf28eb8614e5b4315eaca158a18d0af135cceec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13d4f2f62366617a0841e9d31f1326cc

SHA1
c5221562946445146d5eeb9af1e83b98de5bade3

SHA256
49d0892f7fc6180c68b487e9c265295f2424484598b7b172d0c13b7fb8eef792

SHA512
7ae06041e8847a964c2d4a8aae89012d7ba0723a384b3ec6c8a807ec70b7d20f99b2d0827884259def0d0c3ad6c1b1356c79f546f3d3356a4c4c2473b749a0f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
edd3f104471cda39dac3b49d9892f736

SHA1
3d153158c870434d56e1915785fd49dc247e038a

SHA256
feda9acef6681af81bd5cbcb71411ae8b0521d90e00b72e865ca63b247133068

SHA512
543f483dfb54bdb760c10d8563defae8837dffee15f8273fafa1e38395386c0ef7090d6c5b0a4ed9a49c17f63f52ef9ffc697624136da8bafe0b82630ad1ccfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8baa05a1098b648e789d45284789bf26

SHA1
3c9d39e89683a74da1dae250f3cccc0171cf5c50

SHA256
f591c6711f9a403803c687082b79c81465a2f8c40f3b3cb109da11f626c07efa

SHA512
d8655a924c98a07fc4e220995a52f8e175827371731403859ebf4fcb59e14c81df598f20577e9f6a1f0f9d9e7cb3262cffcb995f264c111cc2ebe5d5940f8042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b31e3eb93757a8cbe611d064bf02ad79

SHA1
7f1102034d0ed584c3bc64901d09ae42f48e785c

SHA256
9fcb913ef882ec2d130a9434823130d85abc3a949adf8e02c544971c45e41b9f

SHA512
4bdea0ed9925c1ad4deaccf7d2b8b162bb670fb488b516b602233d719e6ef89fe190390128417e97feecb8b595cb2a37ff9ef02aa353fc88dec6dd256491ceec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c3b756d5f4eba8d8fb86f06cc276a9b

SHA1
d7a475513424b51e24b3920f289497532cbd70cd

SHA256
27250e00d666fb348e86ea541e5c7ddfc5e1b70ba0a5a130b17fe7d10c19f49d

SHA512
6d1308ea83f9c916f2ca0f230c25b80e560cc345471dbb579c5e5688ab63b70e3b35ce1e9dd39ed845a6e170654a47ce84832e676ac0d1b96e57b7c21ac9015a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bff971009ce32cbf64330c9ec6aae2c1

SHA1
334212c207cbdea772035bd43bdee09cc48ba406

SHA256
351a120ebcb1a1b62aa3f93716652653fac20e338b73168d0d937197c9d19903

SHA512
0b7d8d86daabee6551d0a0712719db60234372575d3ccbea4ee05d7a56c3601d9a436daf5a93beec94e60874d4e506715ebf196f6d29130c47d2f2c2e67122ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5412bc33fa560b6391258303625e18db

SHA1
f09ae9dadab66c3a2901bdee615a877ea8f74da7

SHA256
f1b9bf7f1a9f6f6db7ea8ddb0a900137ef2a56bd48e3e1780353c1a4a2ee547c

SHA512
6d0caa397f0f83da5b829dbe1960727ad3f8b4cde2ba31f0826b554a9f05ce1111823f40ce86cde4ac4f0610b3bcb317bfcf8139794593dab457f2b81e9c732b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22f756c5ee7e467fdf773fb2dd7c354c

SHA1
ad43c57e6b01422475a5048a7909431868b39d28

SHA256
cf75770b913a53d125217b8850d08534919b96357728f1e2a3d8a0e55a8641ef

SHA512
0460119e01117e8acf9c7b7bf4f7fceed18e655076fb4d9f87f690180f479bb305f43f343aaa889ccc49aaf91b711d25a760cbeb6e408aea57f1c71c89a47a2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
957ea035170477092f5b3a87875db8cc

SHA1
68edf591894c852bc8e1c68c7775cc36e5dd3e85

SHA256
4e04a2b395b95bd99e7f3b660fc6c68de8a0ea6d45166f0f7083f8399f722b88

SHA512
13bec015c78f99bc7795f1d611f000e4bc65fd218654651496ff4e0e79e7d12d17e691b3109676f08de31e775dc7a21e8e1781d879f48a81fae489ed20c5f21e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
285da8ffd3a497224546231485b7562f

SHA1
5209067167b5b02c42292e813a09cd5e35ad8084

SHA256
b87b91c31486600de24494ada2bb2734894d3c2e929d56940a34bead3ef0292f

SHA512
82893a31f9bd87a111f5fb2059cddc279cd964b21e19ad050d6173ad63e7df26b678d90ab53a09d11f77bd20245713a37f39c692e2c09c886b57b80a21fdb581

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9aabece3f4ac7e2d8d8da29f79f67b13

SHA1
a1a641ecc64f2a944b648cb1d53081f629402b46

SHA256
741f71ac6a390dd0e900b1305179088f79bcd75a8a4c9d40fbb94b30dc8bffaf

SHA512
74ee5dacd8d233cf71e9f502fec892cae47307365c9989ca50ae54bf1e2e2d01a00fbbcd19b22c35fd9aab300d05490bc7f83b0e94e7283759e663813f39a695

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4062c090157d2957a011714f05802867

SHA1
efff43909d8304dbbf4d3194d355e7bb6eeca8b4

SHA256
971744771850b01c804460d4a600af106d5bab1a9b6c3596816ae37d7276ed8a

SHA512
318aa9562b220e13c6edacebbb0298ed9e96235a08134868d1ff41aaf51a2b39860836662994861072a89b98cd8615c8006b281f0fe8f127c8ce5c34b80ef4dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98c60351f2fa02c6c822abc1af73c72a

SHA1
4c8da1f6ea81a697aeaf83b12440e40571447e82

SHA256
23a09e7a6a59d482c83e5d21dbf3243d292abf8aca618af96ec3d218f6782ab5

SHA512
b9aac7f0926b4d06c2707ccb89964b10ebd242cdcf72b066b6964b36ab07c872cbaff482fea6c8fbe3a789f32434dd8c1adb51c2d17e954fc5125e17dea06fe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c31a78c179d83cd0e71f7cff41796b8c

SHA1
64e49a4894f827de6bad4d9a293cae1b5b809764

SHA256
cc11d8bbe6bd3cd1d6a462524cdfdbc677455280ef1086e9e56eec081096999a

SHA512
61b6923e0c2da3d7b24e099d29c011e13d72493022b2153ad4396e84d35e9c7ddcbe26dcaf1a6f4fdcfbe32b49fa13e3efd7d41426fca128c4632f6b4c17393c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4046b5103ed0bdac6e3728d57340914

SHA1
61caf1b297d388102201039661b7684d42fdab6f

SHA256
9db21207d76ac916c9cba53b0a8217940e4e60338c9cf806374ff4458de73f4a

SHA512
312d5e19a6b23778d600414a1031e1d331a68a6cdd9ef52aed095dfbbd9a0a9a1238ec90cffc7311215207cb1f28b75c3764960543c3082eec376750293f978d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f0607c6a9fc3a3f307fbfb8a367bf956

SHA1
5549f0ab786ed51583a9f868c8db9e118ffe8ad0

SHA256
6a469ac72b1c57e887c7c7356edf6d52a8990c86cd494c2e1605fe9af5aca324

SHA512
08f6d7a7fe17cfd5af4d482d4e258177a0510d76ac992460063862781cc988b1a24333c33812900b3e1d336153f50c2e03527d9f7a80406fad2033aeda5f28d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
444617da11d74ece4ff35b5c5c0aab3d

SHA1
5f56e24013c9491d9e33a83fcdca5c98d2d10204

SHA256
37f68ed43bf1f1b5bbab46a9be68cd1fbc37c2d9d3d08d126c60fbf7ac70f82c

SHA512
09896dd0a805df9fb8897241fd821770a243ab337f1671b8bcfb1b6a14350ef318920675874f3591e4e495b4a6f67af6de1ffdaa1d116b6a4d2e3b0070565d2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
66c0d522f821402f4de95609325c09c0

SHA1
6f75627f9cbc38036cc86cf2b5fd85bf1a8b06d8

SHA256
d67f3210bae87d0be7a9fccfd44408dfb2e164ce1044427231c82662ff4dfca1

SHA512
aacf750aecaf76235debe41f9829fb03e017598196f0fc1035f61a86e0fc18107e693ca2eeb933130025f1e55ff8be79292b2456910269d97970f3060c3823c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f3c4ab643a0d2e00cf1b19a76dce4b0

SHA1
f12499ac9e1993a0b71eb95b0da17a7574489218

SHA256
f06eb27eba838ba39bbe20502cc17bd2e5a6334f5f738f55742e33eaedc0c725

SHA512
18edb07256f13d1ad77a315388de09cfa111f8c8d2eaeaf6401e6525b30cbda72b08afd058154574a420362d7a02a94ba49248d762931367d8d3958f9a21cdf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92aadf5dca9aaa35526c7bdb523b5dcc

SHA1
3fd77fa5e85d444c3619a70dabc2fd39000ffece

SHA256
13c79b3a5311f9e5e1386dbb44bfe5fb44628241464d910bdd5c3efe3f159484

SHA512
3b65e1e3c9299fcab5d28e5b23a69f6e32775712d614acd59e2496765a5eba83e589852f469425571e29a692dfca8d8f7c11854c68689d4755ce7cbe8635b159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
412a9f8db04b2790f10d9bc64dc9be6d

SHA1
409360e26bd10978b1cc72f1f9ffc44cc25c8690

SHA256
6d9656325b02ead07f3bd6a6a4ef534d9add7f43de5faa2ba8b43fd90892d6b5

SHA512
532cdf27b8bce25b86665d310744b48220858c6ddee837d5c73175a6e2cfb320b982ed8724e94dd26a015373d9d69764c40fbf4717892d6c1201ccc561815cea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d477e6c570bd334f3374657228ff80f0

SHA1
e42db3d0b895946eb093f807e3a628fa715f395e

SHA256
b3ef197cf7eaf77cd63714d0806e5c297578b19ef861fd6277827afa54b06a93

SHA512
cd6dd2da7fca131f4d21fa1daedd0ca282cf7d357cb2a37f57c746d95ac7ca19cf8193480e9a02d5eacb5bea32eebfb1f7b9b3dbc30d0734ca7beb0ec4f90bf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
29659e6214770d6830a0b196dd93d65b

SHA1
b7eb1c51512288c584ccc4772728cbb181c67f01

SHA256
edec379e4fca4c07e25f2f0db96417ad8a475a6ac5b496b4a445e27ee1fbd6c0

SHA512
f4a78523e0165eb26342100ff4854ec206b5f5877c8560ce11ecfae37482302a39da3d5313434379dd426cc2ec59ea886b4d9bc8a0aac132e95494628ee89d33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
db75b8b227af5ab547b1169e42418a78

SHA1
8b6f3138a6a505ccb0904f1163e90c54da48d620

SHA256
ab735d68d2966e1039f6e4f2ee250928d0784153b126fb2844e8fa6ac3eec71a

SHA512
7d68f195293037c62e9fd67069e68d9c119fe2702224498ed372d451db2e26a13b58f4758886c42c29c9039606f34fbc73f8268e00b01fe2558f235a6e6fbe98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f0b74446c87d3d73a9d58bc2e9e6cb2e

SHA1
b8106d8f52a7a9823aecfae6e44278bfef7b02e9

SHA256
11f10676ce2a3827ebd88b29a9221a64b059cd7beb2b3e253eb07d8db050f6e2

SHA512
22fffe526c3f3a2dd3a2eeb5b9f1023d3efe444497b7174b006c016b54f6a62805c63fd6722a2a306a25b3f40b2d09636b8bd6c310fd7aa42f1395efee386fcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
74db705cbba0567903f45ea545549169

SHA1
95f1a6079d24e0e8be9e2710c79cbd7aadda3712

SHA256
0ef271be85c39e4599f2ebd60a0cc9aa3295918af055ae22b03b116ba0ff8fd7

SHA512
34fdcde7a54da41511e873dcb516d3fa91d67e0cb5d6461e04a277bbe30cc06ca0b7c13b705b36e2f9227423ec2b42733c2fc4bab8a1438769afb3cc77e338f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3d6603e571caf162c9212145fae8c176

SHA1
ad97e7fa9067fceca8f6b8d7961c74bcc720c03d

SHA256
c1fb465e83b697311e5c480b1e95c7a915c670e1fcee122209a7b6dcb1960556

SHA512
6a19f324d104a9a6190df87fdb99fc944451b018b65cda501a3cc18b73ecc2878c98fce1bddb2259da293236edea3b2b1b3d725d18aade34996bcaa04873e8b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
82e5651abbba92bca7bfd5424aa9c139

SHA1
af34cacbe83bc1c46dec9995a986ac79a70ceac7

SHA256
82115e792a241f40be65cf45f2525851e31306bd23f9b8e88a713e7268044b4c

SHA512
d7b93b9ea1be17450f531eb480ac54385f1715385b1db6a6d9e61f579f4835efc40c388d42e553e803adf851003d270ccc44c8aaa0780461f2b777decf5a7215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2cc353544dcc23298c74a3d7557ab56d

SHA1
c8a38222d55e91d6255d26ec0671ecb7e3504912

SHA256
5d5baf88e397ca77d9a4e5abc35a5006cfab1ee5a55b6e1b40549c9aaab794d8

SHA512
6f4013309c2ecd99a1ad2d5be8c7a3173d45a3e52632c45af76251341d5496180652a8c9a7e0fdfd82d46ed7800962ca66cc4a11dbfb57b5ebea1d44726a62c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
095f5b1172d01713ecf5a8731bad06b7

SHA1
97b86c79f27596f28c28db8eaef8662ee0f1bced

SHA256
527a8e76c8864d565f31301942885087a4e4069a53d0cd280a297a394610e769

SHA512
4b88c258066cd47a310120c2d3716bda34e014aa9ce51b9eb521bd4475fb0c98be10bcb4244798ca37a03f34ea7a038ecf93ab62cde978bc68ec9b550d17fe72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4ce2c4ab465f93c0145e2f403b7d2932

SHA1
163d584e477a5b9caef6a50741544e05adab002c

SHA256
41d41e597d872ecd3576b3b28ac6d44cf811695e985bd5b0e6e388473d700f32

SHA512
966d982e65f3b0795b03cc2922bea34dd754d2d09a93487fe75083191eca006b63e42f54290154eb65356819728949039d7a8fd893c4df0010cd04f18dcaa246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a8989b30450a7c1525e8f08d7ab160c7

SHA1
6c0187eac882885db78faeaf66cf2966a8383cf4

SHA256
2cad85e7218aeaaa93acdc0c31df3237feb34cd936660034856733766995dacd

SHA512
e8f79b4f4dc54a2243fe7fdc6c27c3c8c730ebea5c971e3666d1e62a6647e7d4e64a4b93985b4e4947fbf90bbc0fd0f1616ea1402bbd4b78e20ccd70cbb2caf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
463c4d1518626a52161fdb45075339fe

SHA1
63b18869b8bb6811e3071a8fa5da92111ff3c177

SHA256
a950dd0cb7c67811ff7e23bf5a8697c25c266657d910c9f8a4f571f6bd3344de

SHA512
f565a85d6c89d3405c2f99e958e9057312a22ef70d3c08e500407839a9ad3d47f21886fc21f2f6779789c27e95abe09ecea3ec1498baa0a224a7f24e773fdc77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5d97b8117fbd7366f2910e722e9d5dc5

SHA1
fdb52c59dd0f938d92f79aaabdfb0769750648ff

SHA256
eb5c9df7422effa2b9ff017c0fb2c7911ae5bd653db6ffd64fd606896d453f0c

SHA512
76aae2ff250519cac3b4d42745317794225a005b3237fa65e5543a622eb8ee5defc97b25efab8b11cc773ea9f5d8fd021a22509de6ee2d8d657bdfe246f3c2bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
86c090f830429681c832bf54d63132bf

SHA1
e59496eb2e016e7945290698e883cabc83ac7af6

SHA256
99fc6523cbbb6da06176ad2e3a663b566aa4a6d571a71419068eb720a797d6eb

SHA512
cc4cb539a4444190eabc1f602f1ab7c0ab8552a5463f68d0a316a23257b87c5fccd10f9a2df8113266fce06abeeafd90410984d8d73e71e28b6363c75681d279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b46ceadc99ae902d032530775a1f22e4

SHA1
bee1c42b7554616ef7aacbba61f05453fbaf9e3c

SHA256
36a7660161ff023fe5fa1810dbd097c5b0d0d2d0b8bdf693ac4644817ad4dfca

SHA512
360c315ee40fd186a058555c67d975d65fcf471a64236f1390846cd83769acdb1b2ab8421d34f388ad08b897fa19246c6dcdfbdc159e8e1bcc1ec83168aedc55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fc26fe9f5eed98317022b0a88057fc22

SHA1
dfa4e8ce6bc5f9e9906d039a053860f86e35769c

SHA256
2def635ad74b783fdbe4c907a6272cdbb3edd2caf4a886cd8c684f7220145ce9

SHA512
5ec5caa8f754a0074497bd55273f4014311095c6a189a11ce6dd6923e2770c0a4c253878b46d7b4c898fc4b20a3475ebc23fdc320e0325ca6392740868aebdd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c33e7d92eb107d9096e2c4a6b3e2c541

SHA1
dc43ff97a280158daba90b1d4af37a6b99836699

SHA256
ecafa34618e7070046ae5566e84c593423d1942fd4a5c8842347ffd64df6e6f2

SHA512
2969ae4939e0f4d3da498d39dfa5d3faef531c30639edd98dff1524c934743d20ddf0cb0b8e4f1180e07b126654229e33a90f803adaa602b4d4bc3411804004d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5d9628.TMP

Filesize
48B

MD5
f6a12ba2480e463e1772b2fe2ce78ccb

SHA1
951ca9273cb7715043e76a2f9fe0e8bb644bf85e

SHA256
b87fee1089a20b09eab0a4d10a949810fc4be6155364b585a1469778a2b479c6

SHA512
75f13424805922800793af5a524edecf95ea8740abe278f84b2e6682f78557f788644c3d9a62f38ca73807514ea82295e1922f253e471471e62cd4bc06784775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
94ad87ac4a381ee5e5a8bf775ffb5047

SHA1
141e590f02f3963d68f67b419861336ee99806c0

SHA256
d94951a168f196846916e040417e2ef90f5668d64195825a495f3e39322b74bc

SHA512
4ef9a51ca5b6af660e5df846d88785f3db9d0e1cc71fceb2c0458b965a47be5a13256921a6d2f4c563838c38f9e7e51fb0700e73f800482c340686cd6e1d3720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a815b40b7ad8af5a2f1b719f72d5f36d

SHA1
117ea4f6ebf3b35e71a2dbad3fbfb3c368974acf

SHA256
a75072b91d1b776830f113ee7f385f88a22677da5cd18c5181f7d8918af7faf5

SHA512
f3cf5df192f9899b931b82ba2d8735172f472676521fe316829064514fcd5d993d51cf445a362456b6d5bfa563978a340ed066139342c11735a7ccf9290e2b6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9ceb283b82de38d859164c30aca6cf8d

SHA1
bb5cdfa9c8a19f7d98b549354bd5a8b3549adae7

SHA256
1eacc91afdf8e4a607ab8a71c7fbe6c1a50df52c7b7654a409b3b6dca97e8cbe

SHA512
6413ef4446158072a735e07a874a6796713a9c2d88300f4277b852d49a2899369dda036821f4b8b00f9a101cafe1c3f2d921bd59506f60471a8fe4b4113e78b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bba82.TMP

Filesize
538B

MD5
0e96b04601b32947c564f499f38a9f4b

SHA1
2082978e6242dc78a0e35fe3321ab2040b3627a6

SHA256
01028477f79cf6e794cd12629470bfde7482c5de0f3e07bcd92a47ce25ebf690

SHA512
cf154c605682ac66dda389996fa1a7c66204cad37ab4e2ba13908906a6558d64cc791dd3cd2bd63645465eec116b9d23f7265088bf1764c71016c24387c1b938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f17785bad046ced5a2a9faa6c385a2e3

SHA1
bbd0c9901a76778012df0d2ab091c4ffbd74778b

SHA256
be2a17c03429aadeec082e4721c4b5eaef8b9249666c67ccc6d1f8304a9b801f

SHA512
ca4876397922a65c4fa82e58506638be4fa011cc8d1e45bb8717d2ae350ec8be2019069943291a372b0fb2f15f9bc6e9dbddd7884ecc9271e25f2bc299900b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
89ad5aba29d856b4d93ef398e340d801

SHA1
61f0c62599e2f7a22f1210e247bae90c4aed9b01

SHA256
aec10051e026aed4c0b0576f52af02025ee5e10144a8df2413dc5bdd674d158f

SHA512
fd51f191a63252c3d83959acb01bcd0467e0652f0f873c00a98521c42b5676bd20dbbea08da5b813e6d87da1c6c02fa04dd2d928b4f2b5bae8d29a13606c2eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
54fbff208cf049b73c8ee6d7fa8c5820

SHA1
a79633d809512614905ecf9ddae2a5d575d6736c

SHA256
d12fabb02d601ea9b6e65a536eb66678115c41b028e9b4aea000d723ac692256

SHA512
5cf63ba46048d8f23ae6769d65352b1642722637a9a0b8be43acdd160cbce2709429b836a44904f8794cba9da1570254afa420a54826c12ebb247f68f5eb4be8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zoxeknm.j4p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\Downloads\ErinevV3.exe

Filesize
905KB

MD5
75be298681093c17d0e0c9130be3721c

SHA1
08fcc6117207dff4e7a377159d2c99ba30801566

SHA256
9d7f0e66f98ea4b9d52a4d023586af0505cffccc39d3efb1fdc6a4afbb7b380d

SHA512
5f4dd1a40b74ce18abebe3b463ed41ac85ab7e6b25dc8abd0cb5ca165d17858f17470416cbc2bb87b829ca8359c4be50d24f7037a6c232fd317171a83914c0ac

Download Submit
memory/840-789-0x000000001B830000-0x000000001B86E000-memory.dmp

Filesize
248KB

Download
memory/840-779-0x000000001B8C0000-0x000000001B910000-memory.dmp

Filesize
320KB

Download
memory/840-778-0x0000000000C80000-0x0000000000D6A000-memory.dmp

Filesize
936KB

Download
memory/5924-812-0x0000021F69620000-0x0000021F69642000-memory.dmp

Filesize
136KB

Download