hxxps://download[.]cnet[.]com/ultrakill

Analysis

max time kernel
210s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.cnet.com/ultrakill

Score

8^/10

steam discovery execution phishing

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
214	4072	powershell.exe
217	5212	powershell.exe
218	1420	powershell.exe
222	2116	powershell.exe
228	1360	powershell.exe
230	5512	powershell.exe
245	1164	powershell.exe
246	5520	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
5820	Let's Compress.exe
5856	Let's Compress.exe
6016	Let's Compress.exe
6028	Let's Compress.exe
6084	Let's Compress.exe
736	Let's Compress.exe
5900	lets_compress.exe
232	upd.exe
4788	7z.exe
4180	Let's Compress.exe

Loads dropped DLL 60 IoCs

pid	Process
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
5164	MsiExec.exe
4500	MsiExec.exe
4500	MsiExec.exe
4500	MsiExec.exe
4500	MsiExec.exe
4500	MsiExec.exe
4500	MsiExec.exe
4500	MsiExec.exe
5164	MsiExec.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5164	MsiExec.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5900	lets_compress.exe
5164	MsiExec.exe
4788	7z.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Let's Compress.exe
File opened (read-only)	\??\E:	Let's Compress.exe
File opened (read-only)	\??\O:	Let's Compress.exe
File opened (read-only)	\??\P:	Let's Compress.exe
File opened (read-only)	\??\Q:	Let's Compress.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	Let's Compress.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	Let's Compress.exe
File opened (read-only)	\??\L:	Let's Compress.exe
File opened (read-only)	\??\N:	Let's Compress.exe
File opened (read-only)	\??\H:	Let's Compress.exe
File opened (read-only)	\??\B:	Let's Compress.exe
File opened (read-only)	\??\I:	Let's Compress.exe
File opened (read-only)	\??\T:	Let's Compress.exe
File opened (read-only)	\??\M:	Let's Compress.exe
File opened (read-only)	\??\V:	Let's Compress.exe
File opened (read-only)	\??\W:	Let's Compress.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	Let's Compress.exe
File opened (read-only)	\??\A:	Let's Compress.exe
File opened (read-only)	\??\U:	Let's Compress.exe
File opened (read-only)	\??\J:	Let's Compress.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	Let's Compress.exe
File opened (read-only)	\??\W:	Let's Compress.exe
File opened (read-only)	\??\Q:	Let's Compress.exe
File opened (read-only)	\??\Q:	Let's Compress.exe
File opened (read-only)	\??\R:	Let's Compress.exe
File opened (read-only)	\??\Y:	Let's Compress.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	Let's Compress.exe
File opened (read-only)	\??\G:	Let's Compress.exe
File opened (read-only)	\??\J:	Let's Compress.exe
File opened (read-only)	\??\K:	Let's Compress.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	Let's Compress.exe
File opened (read-only)	\??\S:	Let's Compress.exe
File opened (read-only)	\??\B:	Let's Compress.exe
File opened (read-only)	\??\S:	Let's Compress.exe
File opened (read-only)	\??\V:	Let's Compress.exe
File opened (read-only)	\??\M:	Let's Compress.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	Let's Compress.exe
File opened (read-only)	\??\M:	Let's Compress.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	Let's Compress.exe
File opened (read-only)	\??\L:	Let's Compress.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	Let's Compress.exe
File opened (read-only)	\??\N:	Let's Compress.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	Let's Compress.exe
File opened (read-only)	\??\I:	Let's Compress.exe
File opened (read-only)	\??\U:	Let's Compress.exe

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\logs.txt	upd.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e589ae3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C4B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CA9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CCA.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e589ae3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D3F1D672-2309-4B2C-8283-C8FCF22AED8D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA112.tmp	msiexec.exe
File created	C:\Windows\Installer\e589ae5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FF8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA50B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB316.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D38.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2116	powershell.exe
5180	powershell.exe
5992	powershell.exe
5356	powershell.exe
4764	powershell.exe
5212	powershell.exe
1420	powershell.exe
1360	powershell.exe
5512	powershell.exe
1164	powershell.exe
5520	powershell.exe
4072	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Let's Compress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Let's Compress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Let's Compress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Let's Compress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Let's Compress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Let's Compress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Let's Compress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	lets_compress.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	lets_compress.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lets_compress.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	lets_compress.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	lets_compress.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	lets_compress.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e8005398e082303024b98265d99428e115f0000	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000047598b48120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe47598b48905927812e00000057e1010000000100000000000000000000000000000092bca4004100700070004400610074006100000042000000	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5600310000000000905937811000526f616d696e6700400009000400efbe47598b48905937812e00000058e101000000010000000000000000000000000000000e58ec0052006f0061006d0069006e006700000016000000	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 66003100000000009059528110004c45542753437e3100004e0009000400efbe90593781905952812e0000004d3d020000000700000000000000000000000000000086ea48004c006500740027007300200043006f006d0070007200650073007300000018000000	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	lets_compress.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	lets_compress.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	lets_compress.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	Let's Compress.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Let's Compress.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Let's Compress.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 727554.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5900	lets_compress.exe
5220	vlc.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
3824	msedge.exe
3824	msedge.exe
4436	identity_helper.exe
4436	identity_helper.exe
5680	msedge.exe
5680	msedge.exe
5820	Let's Compress.exe
5820	Let's Compress.exe
5820	Let's Compress.exe
5820	Let's Compress.exe
5820	Let's Compress.exe
5820	Let's Compress.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
5212	powershell.exe
5212	powershell.exe
5212	powershell.exe
1420	powershell.exe
1420	powershell.exe
1420	powershell.exe
2116	powershell.exe
2116	powershell.exe
2116	powershell.exe
5456	msiexec.exe
5456	msiexec.exe
5180	powershell.exe
5180	powershell.exe
5180	powershell.exe
5992	powershell.exe
5992	powershell.exe
5992	powershell.exe
1360	powershell.exe
1360	powershell.exe
1360	powershell.exe
5356	powershell.exe
5356	powershell.exe
5356	powershell.exe
232	upd.exe
232	upd.exe
232	upd.exe
232	upd.exe
232	upd.exe
232	upd.exe
5512	powershell.exe
5512	powershell.exe
5512	powershell.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
1164	powershell.exe
1164	powershell.exe
1164	powershell.exe
5520	powershell.exe
5520	powershell.exe
5520	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5900	lets_compress.exe
4896	OpenWith.exe
5220	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5456	msiexec.exe
Token: SeCreateTokenPrivilege	5820	Let's Compress.exe
Token: SeAssignPrimaryTokenPrivilege	5820	Let's Compress.exe
Token: SeLockMemoryPrivilege	5820	Let's Compress.exe
Token: SeIncreaseQuotaPrivilege	5820	Let's Compress.exe
Token: SeMachineAccountPrivilege	5820	Let's Compress.exe
Token: SeTcbPrivilege	5820	Let's Compress.exe
Token: SeSecurityPrivilege	5820	Let's Compress.exe
Token: SeTakeOwnershipPrivilege	5820	Let's Compress.exe
Token: SeLoadDriverPrivilege	5820	Let's Compress.exe
Token: SeSystemProfilePrivilege	5820	Let's Compress.exe
Token: SeSystemtimePrivilege	5820	Let's Compress.exe
Token: SeProfSingleProcessPrivilege	5820	Let's Compress.exe
Token: SeIncBasePriorityPrivilege	5820	Let's Compress.exe
Token: SeCreatePagefilePrivilege	5820	Let's Compress.exe
Token: SeCreatePermanentPrivilege	5820	Let's Compress.exe
Token: SeBackupPrivilege	5820	Let's Compress.exe
Token: SeRestorePrivilege	5820	Let's Compress.exe
Token: SeShutdownPrivilege	5820	Let's Compress.exe
Token: SeDebugPrivilege	5820	Let's Compress.exe
Token: SeAuditPrivilege	5820	Let's Compress.exe
Token: SeSystemEnvironmentPrivilege	5820	Let's Compress.exe
Token: SeChangeNotifyPrivilege	5820	Let's Compress.exe
Token: SeRemoteShutdownPrivilege	5820	Let's Compress.exe
Token: SeUndockPrivilege	5820	Let's Compress.exe
Token: SeSyncAgentPrivilege	5820	Let's Compress.exe
Token: SeEnableDelegationPrivilege	5820	Let's Compress.exe
Token: SeManageVolumePrivilege	5820	Let's Compress.exe
Token: SeImpersonatePrivilege	5820	Let's Compress.exe
Token: SeCreateGlobalPrivilege	5820	Let's Compress.exe
Token: SeCreateTokenPrivilege	5820	Let's Compress.exe
Token: SeAssignPrimaryTokenPrivilege	5820	Let's Compress.exe
Token: SeLockMemoryPrivilege	5820	Let's Compress.exe
Token: SeIncreaseQuotaPrivilege	5820	Let's Compress.exe
Token: SeMachineAccountPrivilege	5820	Let's Compress.exe
Token: SeTcbPrivilege	5820	Let's Compress.exe
Token: SeSecurityPrivilege	5820	Let's Compress.exe
Token: SeTakeOwnershipPrivilege	5820	Let's Compress.exe
Token: SeLoadDriverPrivilege	5820	Let's Compress.exe
Token: SeSystemProfilePrivilege	5820	Let's Compress.exe
Token: SeSystemtimePrivilege	5820	Let's Compress.exe
Token: SeProfSingleProcessPrivilege	5820	Let's Compress.exe
Token: SeIncBasePriorityPrivilege	5820	Let's Compress.exe
Token: SeCreatePagefilePrivilege	5820	Let's Compress.exe
Token: SeCreatePermanentPrivilege	5820	Let's Compress.exe
Token: SeBackupPrivilege	5820	Let's Compress.exe
Token: SeRestorePrivilege	5820	Let's Compress.exe
Token: SeShutdownPrivilege	5820	Let's Compress.exe
Token: SeDebugPrivilege	5820	Let's Compress.exe
Token: SeAuditPrivilege	5820	Let's Compress.exe
Token: SeSystemEnvironmentPrivilege	5820	Let's Compress.exe
Token: SeChangeNotifyPrivilege	5820	Let's Compress.exe
Token: SeRemoteShutdownPrivilege	5820	Let's Compress.exe
Token: SeUndockPrivilege	5820	Let's Compress.exe
Token: SeSyncAgentPrivilege	5820	Let's Compress.exe
Token: SeEnableDelegationPrivilege	5820	Let's Compress.exe
Token: SeManageVolumePrivilege	5820	Let's Compress.exe
Token: SeImpersonatePrivilege	5820	Let's Compress.exe
Token: SeCreateGlobalPrivilege	5820	Let's Compress.exe
Token: SeCreateTokenPrivilege	5820	Let's Compress.exe
Token: SeAssignPrimaryTokenPrivilege	5820	Let's Compress.exe
Token: SeLockMemoryPrivilege	5820	Let's Compress.exe
Token: SeIncreaseQuotaPrivilege	5820	Let's Compress.exe
Token: SeMachineAccountPrivilege	5820	Let's Compress.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
5820	Let's Compress.exe
5820	Let's Compress.exe
5820	Let's Compress.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5976	7zG.exe
5976	7zG.exe
4180	Let's Compress.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe
5220	vlc.exe

Suspicious use of SetWindowsHookEx 59 IoCs

pid	Process
5900	lets_compress.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
4896	OpenWith.exe
5220	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 4156	3824	msedge.exe	83
PID 3824 wrote to memory of 4156	3824	msedge.exe	83
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 2924	3824	msedge.exe	84
PID 3824 wrote to memory of 404	3824	msedge.exe	85
PID 3824 wrote to memory of 404	3824	msedge.exe	85
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86
PID 3824 wrote to memory of 980	3824	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://download.cnet.com/ultrakill
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf21a46f8,0x7ffaf21a4708,0x7ffaf21a4718
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6992 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5680
- C:\Users\Admin\Downloads\Let's Compress.exe
  "C:\Users\Admin\Downloads\Let's Compress.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5820
- - C:\Users\Admin\Downloads\Let's Compress.exe
    "C:\Users\Admin\Downloads\Let's Compress.exe" /i "C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 1.4.0.0\install\22AED8D\Let's Compress.msi" AI_EUIMSI=1 APPDIR="C:\Users\Admin\AppData\Roaming\Let's Compress" SECONDSEQUENCE="1" CLIENTPROCESSID="5820" CHAINERUIPROCESSID="5820Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" ACTIVE_WINDOW_NAME="ready_installation" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_SETUPEXEPATH="C:\Users\Admin\Downloads\Let's Compress.exe" SETUPEXEDIR="C:\Users\Admin\Downloads\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1734124728 " AI_INSTALL="1" TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\Downloads\Let's Compress.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:736
- C:\Users\Admin\Downloads\Let's Compress.exe
  "C:\Users\Admin\Downloads\Let's Compress.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5856
- C:\Users\Admin\Downloads\Let's Compress.exe
  "C:\Users\Admin\Downloads\Let's Compress.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6016
- C:\Users\Admin\Downloads\Let's Compress.exe
  "C:\Users\Admin\Downloads\Let's Compress.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6028
- C:\Users\Admin\Downloads\Let's Compress.exe
  "C:\Users\Admin\Downloads\Let's Compress.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3508 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1220 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,742114655679405696,17579504090646147964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:1808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1376

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5456
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8CC08F68F6883C517DBE85B21D58947A C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss27AB.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi2798.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr2799.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr27A9.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss457A.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4576.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4577.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4578.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss6491.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi648D.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr648E.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr648F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss761C.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7608.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7609.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr760A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9216.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9212.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9213.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9214.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD3D8.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiD3C5.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrD3C6.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrD3C7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssDCA8.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiDCA4.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrDCA5.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrDCA6.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5356
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DC356D45C015C8058F700E94220AA56D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssA845.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiA841.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrA842.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrA843.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssB626.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiB612.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrB613.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrB614.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5992
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CAA1B0551B96981A01041C73E08219D9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss6B52.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi6B3E.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr6B3F.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr6B40.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss7B94.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7B81.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7B82.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr7B83.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5520

C:\Users\Admin\AppData\Roaming\Let's Compress\lets_compress.exe
"C:\Users\Admin\AppData\Roaming\Let's Compress\lets_compress.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5900
- C:\Users\Admin\AppData\Roaming\Let's Compress\util\7z.exe
  util\7z.exe a -tzip C:/Users/Admin/Downloads/Downloads.7z "C:/Users/Admin/Downloads/Let's Compress.exe" -r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4788

C:\Users\Admin\AppData\Roaming\Let's Compress\upd.exe
"C:\Users\Admin\AppData\Roaming\Let's Compress\upd.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\\handler.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4896
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\Downloads.7z"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5220

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Downloads\" -ad -an -ai#7zMap31114:78:7zEvent6569
1⤵
- Suspicious use of FindShellTrayWindow
PID:5976

C:\Users\Admin\Downloads\Downloads\Let's Compress.exe
"C:\Users\Admin\Downloads\Downloads\Let's Compress.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x33c
1⤵
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e589ae4.rbs

Filesize
19KB

MD5
90a08436843c9a056d8ccd697b2eb3b7

SHA1
edbf359e04b12da44a385a7bb183c582144d3468

SHA256
6402511421e837d9d6c36818914b6fcb90fb2d873baf6641ed22a4f16f055be3

SHA512
a987cf24b4116057e084d5649a49edb01201a5b139faf821322ba33f166f784ce880fb6e3af72e01cadcc3fd6797b250ce894754066478ffbab9e25964396320

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_D343022F8C5E519322B5D9E07C403E21

Filesize
1KB

MD5
64cf6bb578708723075a62f5803e8e57

SHA1
c31fc1f527d8ab4ea0ba239ab1d98b17f4943027

SHA256
87e173a7596c8cb6f38066393712e687ca5995fc35150d1d45cc4936195606cc

SHA512
68557593725657dc489e590386f267add522c2b392a4b8c31133d5aca774602766431c59b990f1137ce1b5b38ba28feb2824cf238d241f2eab7ee7b870123a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
2af9283a864b4a2d577f80c97da99024

SHA1
964df4f62c4fcab2af156ad1c2afd63f605bc693

SHA256
3cbcab28cbb6d7ed9a85b6ce5d375e04fad7049920e797d53c4706f0a05b76e7

SHA512
53b2abbd7f8b86b8523f238e25fc9135b0e5eccacf736ce47869566deaa2692bbcfbd2aab30864c8b1f53d59fba265a13488b34e8d1218504e8cb9a11e6c4806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
1KB

MD5
c6150925cfea5941ddc7ff2a0a506692

SHA1
9e99a48a9960b14926bb7f3b02e22da2b0ab7280

SHA256
28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996

SHA512
b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
74e5396f986412ca03882bbd2f8b269c

SHA1
cc4dd3b98c5f897494d809bfae2404684ffc1e37

SHA256
2b3374f308b939887d4f0dc89477512825fc0976435315e11a1705beef0458df

SHA512
e0b4a3f11f2cdb213373cdbe2aef7fa80d1c7b8a8c2a9d1958472cdcc5a4cf5f344703ae8b083fdd07e63de6b4a2a8edc258af51c8d544102f69eb9009aad3d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_D343022F8C5E519322B5D9E07C403E21

Filesize
536B

MD5
9545926085534fb332df0e3a7185fd01

SHA1
7bef11bdd208efe87017ad4da432589e67d0810b

SHA256
08770c5e4d5d31295df9a62280cd16d2b0fc458943afa46dcfb2b7fe45b855f3

SHA512
597ffb9c3cc14e344155c3adb2a09808f1aa942203dacd60b724528e2b3326f0f2e9dda43094713a9316140e184b3731e1002b42f71756aa2abcff1e14cb287c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
cb2d78e0d913c0bdf095e11715ba814e

SHA1
770ec1ca941e7816571e89fc461b1ab971ebbbbe

SHA256
6ada91febbe38372e3daa590f9d8167c7cc64634a06451626dbacb777967e74a

SHA512
3446e73dd149a21b24fcb84a06291f5e90f031e5c0bc6244336c11e76ad360967726d95dbf1796b95bebaf88a7b2dc00af039015cbf91fa92681f309974196d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
276B

MD5
0d9848bed2a9d170907428385fce771e

SHA1
172303434dac691fe45a9be80745c59f6af7d115

SHA256
2fbf1e54c9bd1741e63bfd907143ce4ace3a27625dadcdc9be572620b58ca9aa

SHA512
abc9b425b99ca7437652b63b35a1c40266de18dc57673ff826a3d996db073143832e9c91c17c781ab325d48b5398affb02ca01c9f438557dedbdf1ef83b20dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e32eebd345224247e34290e3301ec990

SHA1
3a6e137152390136a097f8060f88805defdd372b

SHA256
fd39a8fe2a2ca82d501a25897203550918e5c5abc981c8fee83017b9f9ebdb27

SHA512
b376563c4fe835d0023c830a51beae9abbbf96aae6d6238dc146db4cc01ddc0dd124d894e52a6ae678f8bb0c417f836bdffbc22d9ea8583d75c1121301b2698e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\23604e13-6cfe-4d9e-a688-e90a468302b8.tmp

Filesize
8KB

MD5
a1a117529c29bd10429b57145f5d4278

SHA1
1639fbb416e03556b98194ea58ad08beac76c238

SHA256
650e5f26130f36c59d2d4c08218de2b09dc9bfb5e40f2ea63ea524853f57f671

SHA512
39a428ce4ec818064d3e8b6bf99856b2040e0afcd8f62cd22cbfc1d3e683532f41172325710ee7e271b9d803906337ed74377eb33d431e5e0459d80ea27c5661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
98KB

MD5
93a447443d8efefa79b9aa48dfda8454

SHA1
57514210fb25fdfc208b2ccb4f1fa6454a7b3c65

SHA256
bb1ed96aad9ad2dc152d24bf15a410f247c3cbfa9edd860acd453f0b0485c46f

SHA512
99fdc2b44be92355ac64bae6d7d702cc0cef480b072967838c9f67727ac3fb807940292e7f2b94eefbbf096204965ceb56cf08d1d49f431850d7180f645fdc4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
79KB

MD5
f22fc5850a05b8c3f3ea1d2e07ee52d4

SHA1
1ab1d80e508cdf5214763eaefdad3adf073ab807

SHA256
d032e15310379a5158a61aff62c4fc612b9ff1f58138b53c9a9f7ae458ca4ce5

SHA512
2716ec34bc9c42908b69db863f7e81321d7edcb839adb4f46635bef75166c6bdf639df8c241b34508e822020b520e6ee100fc7c4acf6e031d200b06b97a5cb03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
50KB

MD5
e7cf3822393a589f236dba1cbc8fa73e

SHA1
38eb03688872645b3a9abb164f0bdf9a14d72ba3

SHA256
5989cd3ea4da8d6dd55f37d0c66f4b6a3e26660f78010c940bf5a7bba8157bff

SHA512
decb83092415d18356e59b37c1dae690ea73e53c796ac593ce8863bfa2398276484b4fe07fd41c291600f8fc4a84128b94ea36444f8973df50018f54469267b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
33KB

MD5
0ccf3bd954d63e00acc99c110604fb13

SHA1
8571e02e15ec8591b679d1aa2cdb54b4606240ad

SHA256
c96f62c737b5003e968d911a0296543aded61199e7861593b31516340c6f9408

SHA512
3e568b8e5c6e2a3195e3303a01fd2f826fa792bf351e1f0a4d441d9b4cb38d6b29c35793073b4c0a3bebcc338e255f75a3ffe6723e403c5111451fc3ee93481d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
33KB

MD5
343929cd86d4cbd91e29221446ab21c2

SHA1
462e139f0a27f95e3f44a0dc874958086cac5bd0

SHA256
3e961ba189a67a3c09cc7c651b0ece833f1857f0b41982acbb51f7552d218507

SHA512
6446aa6a0d91e815737791aed8e412469a1e6f14e5b887419adf907709259ab98f80a41b2c3559aeece60893fe151d6dba85c3ab0d543fbb12fce4cc10db6144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
75KB

MD5
d8c697f9d2958e4cec5880b26400ad44

SHA1
b5699a5678bfe438f40b79ce75083c27a246c48c

SHA256
a415c382132a7c088cf4e376b6a5e1133ffc432ab4d52e23893ec04c468c9b85

SHA512
c314395563f0b82a53f5eda19e1c45f9e6f9e0de6760accae02e20589bca199583108cf9785cb826ad8bf5842003643989e3c1ff486531046d2284e01d2c9468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
20KB

MD5
be42578da113be82ef161157874207cb

SHA1
9dbb8f4bf675ed14844ec80f509572b489ceddf1

SHA256
b1356e6883c723ee65a82b2e0d29e2f5a067846a33ac984d8bc7cb063915e868

SHA512
0542a3cf9cf3cb3341743dce4ad96def53ad7a8a455f4a3d582bc96df05d7077efdea8af4b67c94f6169b60c60bb513431acf21961cc43adeceddfd182d7b73e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
119KB

MD5
a5fd0853974b6653dfedf96705ac8c32

SHA1
a1fd4791e44ce977e97cc82963c07861b6dda89b

SHA256
e353bbbf22150140dde86c26f08c927bb64fc4466a935f9aa51d0c9fc7f41366

SHA512
5654a8abb9e00d5a1d05c6c4fdb10a7a933114317a8925bec8ee682083bdc56fe9074eff9c2240981012157a48231d728ce3ae96fa653195a9120b5de6eb380b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
153KB

MD5
1b2731006f2b2597b02859e501bc2d4c

SHA1
118d27a703cef3fb083593a56bbc93e62420f30a

SHA256
59dc184cbc1a318493460d1d78999cfdaaaac9a457b5a3a02c2567dfa17314bd

SHA512
f7452f91afe2fbfcb04f80dc7b051d874224de8790bbc53858678332a6b49f7295a15989a587811e1e8fb58a38625ec3e15657d88a367fd50d5b201d7abbe90c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
111KB

MD5
f1f1776d0040b6c4d5e12726d53abeac

SHA1
c8f339d7b2b7ea8a9002db487e10af98476d13fc

SHA256
e6626ddbdddbb7f232d38425883aab257fc6f9892965e915b2dc725d24d42a11

SHA512
0b432aeb90637425c67895dbb3c98e40ba48440059a6c90bf0eb7e0407b2fef42d50cb68d1022cfcb1228eb464bfb19d56a7cfd7ea970d918b8a9c45aed6f548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
17KB

MD5
c9211c6446ce9ad563a0e832bfc6588c

SHA1
289ff5de5db423fc0f36c9c505ef3d39ad3b35ae

SHA256
2799495e918d70d91b1bc983a247a0434635abb3880bf46fd215ab14665ed523

SHA512
c09814273c0931c09c2a20bdf653ccb50a2a9e09c3ff9044030cc123297c662c3ca4474a7674401892d185f9e83f89845914e4913e6878f7c9ef2a939d7afad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
77KB

MD5
6f7c26863627719521e8dfa3a074cb53

SHA1
f57cd70d325e0524fd88f19a0edf773433a60a40

SHA256
fc2b28f2e7cb3f17e4b2805740b680564eb2c8d82d2e3cf0f7671fd0954883b8

SHA512
739d060608067a67dc9d8edccefb78923815c88389b22fb72d3093b62ece3dc4b6b300b881b3416bd1c6e9ecdfaff42f4da80ed84352e95b5d349426a2e93278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
16KB

MD5
891e329b72bd0fe31a43827a6f070b9c

SHA1
cbde282df60433af5a228d1db3d396ff1a459420

SHA256
ab3c3eacd8d32ff2a617c2a550fab85127bd9ffa5fcc2b51623aab5d1ba50909

SHA512
d836bbc8a68daaf81d69292795dfe80dfd71b164b15eb649d0bbc4ae786e09616982518c39ad8deeeb5b4ccb4977ea8b201f098dc3759aa7cc415a8c6982691a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
19KB

MD5
f52e4a118c318f5025e5c073aba242b0

SHA1
0b4fb1fbc5f0f62fd5ae56145069daee274d3c21

SHA256
46f5f73343579025c44b7d5a5b014164934f858c4a5bd1a5eb9e6c3e2092cdbf

SHA512
251c7888ae24a920b6c11421856258fc7651af8593dce4cb9a4cad0a80dda3a19e197572b3b89b0f2de7b2e9ea313dd9d95fb36010f04014f7288b36193a9b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
27KB

MD5
bc7321f62fec1792b4b4b06eb70b55ed

SHA1
1ec07a8dea6ba3e7cfbcfa03fd41e4fbcab88d80

SHA256
4568f3217ad7eca8b87555678b82e4fe003aa5df2c4dd7cd27f469961b3bf303

SHA512
6fb01025e6d815f26047d4f2c0eee18a992ed550b73b4d23733b2d00c70827e1407828986c2fe13f2f08a991dc45e555177199c7f226ac5aed5323bf5436fdd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
20KB

MD5
a4f3afc86190a2d47f56664367af370e

SHA1
57613bcb2a288ef2508e847e7ba35d52f2e87de5

SHA256
52fd14eb766bc6676dd81e3bb50a4dad1891bb9a47e38c3ec620aa6c2b487c42

SHA512
bae75c59141ee60ef1fc2c745117fafea3d386b64f2f67c1022909f295228578bfc5e5e49de5a2f2efd57e75affc0a7d09fbee8fa50aadd82aff446773fc690e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
67KB

MD5
bcfda9afc202574572f0247968812014

SHA1
80f8af2d5d2f978a3969a56256aace20e893fb3f

SHA256
7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91

SHA512
508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
20KB

MD5
077e3f0d3dddb018c1e71fd8e46d2244

SHA1
b50954ed5904b533372fe39b032e6a136ca75a7d

SHA256
12ea854aa2a6588219451d4af53fcd368e24b109085062deec4e5b891e059e82

SHA512
f9cb475d16d3e8dedc6ef2feaee4f9bad365a8bb992352163a0a9f4ff9e809bf895fc0ffd59375e60a44e5c5bd1f43217177fb44ffc0cc76cc85e45a612b9b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
20KB

MD5
59ee96aea4061c8a38d2506c4805354c

SHA1
273902cf69f0ac50ad5c654fa14ca8ddc295b99f

SHA256
7c8672db679b72c70317a6edbf0c2311ed3653e1d911376cf232e334ec7eaf4f

SHA512
6ddc4427481f02ee4f3246384671ff8d41d856d8b0e281c651431a2377b16991c5bc3a3fafb5c1f80ccb05f9219cf201f9ec547286940584c0a671dcfbfefa3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007e

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1953d0790679c111_0

Filesize
32KB

MD5
b61b7fbacf4f7aa8f0a06aeab77c7bdf

SHA1
322f09f1ae0821623966a7304bcd61de6c6b81e0

SHA256
3ad3be4b9832239c2740fd841332cc162136c016f30c33e58f156d6535676702

SHA512
c10e4f326566061a18638db04c2c025c1eb6be371d575646e1743faee24d3d6690fd56052f7dc3673dd9d055e1a56f3954212339223b5590be48736615a2fae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5e0361010311ef10_0

Filesize
3KB

MD5
e5856a6a9abeaff94168ba018e8ed640

SHA1
9db81d1b530037cb3bb713ba43dacfeec567257c

SHA256
069f27c758c4d5609d38e7ef36468f01b31900beebe4cd94e69fbd06b32a701e

SHA512
82c1940f7ca59d01999dc11764b377a52200c4aa16738656bb27e261833ae660874719495100098ee0bee314dfddd6aae9b0879ba971082cbb2eb4b3037962ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
9ed0109bf0e346f0ee1b77cb8e6defe1

SHA1
c36b308ea7e9e1814b56f9cf944cf5129d0611ad

SHA256
d2abd802be1e7cfcda90113187530d8bc6a7d6f1f05eee66b52e18df34bcc023

SHA512
b978e4ded70a338b6acc528f50fdad11a765094a2b53ffdd19c86827948bd65715fe17801d39a3406316af6c705210b5d336c1daeeeb91f632922dbca33cb935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
1c7c1e0514a51354a6326c1cca98d2b9

SHA1
768cf412881c2140d176489e4cd6a4e8349421e2

SHA256
34b5b153814bb8fc53c563112628141f03b10582d8f6e0ba4559566daaf09623

SHA512
b77e3551109eab2c7590c6234ccb878f3d9a7322b9c44983c70d3873d50a312073e441bd0bf7e7b7463acf8d361410969fe31a48fbb4de24c46616b577e4b541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
7fc421b728f60601fad21c4fd69b532f

SHA1
0613c8c8d95d7894246fde4a7ff2b70f28f6432c

SHA256
e8fba9f00ef5231512564f68eadf64a3559695753c977b0983bc40b696650cd9

SHA512
67c170a7882c3fefdf52b9dd132a495538a3991db90103715eac9ae78b94847c36619989bf4b4fbb1f4172067d89bc58c020929e5173d11d250ef31103ae518f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
057aaa33fb61d431fd4ffab493623d1b

SHA1
805f01b460f044a6f47422ca6767d2717eb75925

SHA256
22a28ac84ab05bced39e9d28cbe5f76492c84c6c279380701a7d8c01e245c113

SHA512
1798009e929a5c25a613f3ddd30aa6b785fdd1e56b8557300259479d04e0c1e260273a875f23f3e44d7463b81716a9b636bda4b5e67f02a5e5c8de6a894339c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4c5996a22b813ab8e658a31f8a1927d5

SHA1
01e39883e113e6899de444ca6a0a79266bf1af85

SHA256
6b4f6251cee34ea1ce06ce906ff53259aba12ecaf010dd7c9d7ea1a22d6ecce2

SHA512
e32b9f52a38f83b6b728b2b450c271cbea6cfd1ed8be1b44705f9039e94d00c7ee83ac394ede89dc45e550feb5c0a189c46058f80290e8cbf087254d05f335b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
411339c2fa1456da955c6f50faea51a0

SHA1
5c7bfb8be106222c145d762ff563e77deed55641

SHA256
5f0999d71fd63e18f42302cc3fb92f1e9085c043d21a724a6b65f78e84b94751

SHA512
6804c24026cf508d01ec853b83537a402c9f1d7f70d32004595209e3114b914cff65aa69405d00101204750e9f2dc54af1931f07f0a4508a450525d11a4b404b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bfdf6fae2dfc4859449b306ecdeeedc4

SHA1
d54d424b22c8bb652f5f56ba5da4bdffbb6bbc0c

SHA256
49291ccc04242a51aea1cb9d9686401fd472208a49b0e0b441ebc74cb3194aea

SHA512
3d56d9722b2cbc05b4b71b467f26af971a67c8f64bfdab2b3897500430181110ffb44675d2c93be329275b87ca537874955e4b4436aa12b723777b528e12d0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d08771d8f33853ecd289d368e3bd5ee0

SHA1
cfce535a874d31849cb3ee6f215f52223150f4b0

SHA256
f52ffe8911314cc64074e375fce6d7f46b292cbd865c167c3fca753cf11a7c2b

SHA512
bfbd60861f71c858edc2dc333b766f5b8876ed7d1321b2692c3d1d42b0ac14eb19f201ebb1c107800b3cafd2842527ae61d90ea22f805ab4d37f0f65cb41d9ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ac3af.TMP

Filesize
1KB

MD5
f71b628fb9d43d2ae27fe04f51720fc6

SHA1
6de179e6bb34f9fdf6319ebda46540ce19c80260

SHA256
52d1b8e94779b7ce8699dd5cbce7c913e4645264609eb9ac34ef042d93ac6aa9

SHA512
7c23acace9d62f634be565446c99fe699ea26dc9a7b878ca8417872842c282d8f7fcefbedf34bd13735140c1a406aaa280f5567511048296941bda8119ce9717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e0a8161e4a344067e45ff2dacf0f991a

SHA1
5c5a47edd417875290b37ec97c482682db3b1c7b

SHA256
86e3cd7a819f58adbf1922158dd9ae65dc64b73e3ecbc3c16284f2e78858ce84

SHA512
7addf703ff935216076841869db039c68edec3d74d74e57467a640dbba2440e93b38886c39aaf4e25a0e4446decc53c9cb394f95b251c2d8f1c89c0d06d59355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b6e6048f7c8e29979035132baebaa3ce

SHA1
ea0a8ef1e8ec804e39f8f3043e27e54b85ef8339

SHA256
74823a6d253d557d871524f3125134a1b34ac34b76874b4a26cde6d770fd06c6

SHA512
33d46afe9ecf29b68bf415d85b979a60c60c8fc606e5a3d29c608014bed4e19cd6fec7f6bba85e02447f8a24199fc8aaa7f4f06c5ed9121d196e7e4198d526e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d028c66558cd33716364282681f1c580

SHA1
565666cdfe0e28fad4443c24e92661e8a4aed927

SHA256
07edbd4fbeccdfaead5f0da3d709ddcfa318dffa5ad99e394028a9acaf0cf2c4

SHA512
daf3edcbc78700adb2e17fb52fc5d81afb6e79bfc34cb2efa918a08963c76474eae069a4cdb7a9f8d90c3a6a8e7abe23381f4fe55a7fb5c8cab92e895997ba18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
5d86e7514940bd21df8e649b97c7fcd6

SHA1
dfafd622a8922508ee79a8c2a20ac0f25788cd29

SHA256
88e55a48694e6f84ca8dd41d8288f86cf0c3e84222a022b01cbf7226dc675720

SHA512
f984dcecac50488251f2b57e7c447f3d6d955266d8c3851bffcdfa6f04e3ce4fb2d13f8635560d75372390316d5bf918662b13419f20e3f678b562cab39da072

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5820\banner.jpg

Filesize
2KB

MD5
de1459af81f7d448e39553c663dc2426

SHA1
29b786b17b8ae102eb613970f305ecefd9ce61d6

SHA256
4f23824737a445244cb3ddc615eb26db9463142b170bf8ed9df1605bf23c26ec

SHA512
a3b26f33be15eab0ddff9790e179e3138580345335f05cd3094ab2889d381bebf1f170d38865822c91c9254880556af1bfd40018654dab52a0cd1f6021c8cee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5820\dialog.jpg

Filesize
18KB

MD5
40e9c790fc05030071eb615d195c28ca

SHA1
3a90c8770c15e7ed07b95d49f33299e1142c054d

SHA256
1d7d8d52adce21c1317bd7ed5717292e7bf3cf50332495de73ff6b8c0c9cd31d

SHA512
ba94e19388fe82f06e1f89f37cffbba608aeb3bf5229fb99110d740ad510dd2a47aa16c1ca4d3b501e6112005cc4caf4661437ace2dab71bd223b5f9ea21e5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI21FB.tmp

Filesize
588KB

MD5
b7a6a99cbe6e762c0a61a8621ad41706

SHA1
92f45dd3ed3aaeaac8b488a84e160292ff86281e

SHA256
39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d

SHA512
a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2717.tmp

Filesize
649KB

MD5
6ea44a4959ff6754793eabf80eb134d6

SHA1
fac049850ca944ec17cda0c20dfbc3a30f348611

SHA256
7a23e492658e6d38873f3ad82f41ec1fa45102da59fa8d87595d85dafca6fa98

SHA512
e620835985a8ef03a55af210d156f9dfa6313d4c36131ea17fdad9b6acab37214041535efe99b7a33355ce8d5ff88e0c1ed10719726f4a23b51650cf7b15ae13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pro6B53.tmp

Filesize
55B

MD5
b4d8f0510e6f560e4e0750dcd7db583c

SHA1
6b792ece50c989db74df54e3cfe2ae38c0d09d9b

SHA256
2a9975511c6b0342323efdaeeb4a9274ee4be5aac41fe90f419ad968ff33a6b9

SHA512
9e3bfd892cce2b526a6859872f9af410a3d13d201c7b3362bbbf0deae8a6164d5f69d93d3f4c6881c95f9cd04914eb8c71cc7fe7e1440f93df91337c428abe95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProD3D9.tmp

Filesize
25B

MD5
1b43037b95cb93e3ecc6b8b52d222bbb

SHA1
bada46a26d7531bf320308f1ec9dee2257811ec1

SHA256
a12412aaafbe703d3cf088a104de212bcec0b1dda826957a18a093e1fd353037

SHA512
ae8c4c36081e29963b8d5d05db81f4dff5dc8a877df912e14bbe2f4d594004a747a8585c962dab33ec7a2e3c5769ff62321c5f764668c4e7a052de3e73f2768c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g4czigz5.cxn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msi4576.txt

Filesize
230B

MD5
c07da55fe72d61a72d3b2ce7db54f1b3

SHA1
65658d1f186d8259830bff291be480b18ab3379a

SHA256
9a10e8ce49577b736bd7fcfb7a3b4a29e13b7a29695abcac5a69597134ba1855

SHA512
77b59c539f49a2f4cd7a39507898eb4464dc9ba9e0920a96bffc57a917ac30cd53bb80a086d39611165c6ad367cba2d81ee95e330305beba4d0abae76f2b0218

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss27AB.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss457A.ps1

Filesize
36KB

MD5
ce057a9710f03bf49d7a252d855ce710

SHA1
181bbee3acefcf26aa425d4dd924e822d0b67ced

SHA256
14cfe7c23d6f9f756febadf1acba22638f00a98d3a4198f11bde785daa16b65c

SHA512
56904ba4d80b2512825b2000182e975d894e79ab1dea8f00b66caaf7a6df9788d57d8a1144d83ed59fb89388eed877309385ab87cdd0c96376fbf4b45ce0f4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss9216.ps1

Filesize
36KB

MD5
25318621e16f4172fadcdc88c14b0e1a

SHA1
79aef877a110247e27842771a1eea5ca46db1430

SHA256
4a90ce9f8adb1a6b9110956c4a705c28402e6ac705510f58b729975eab5296d8

SHA512
ebd48e11dc3f18ac64d9116cf70f478eed3f6b615033c916cb79560835e6e64b51a3b84bddd8cf668256ea0a21a053ce984fb0b75aaf9cce7439226d88c9bc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr2799.ps1

Filesize
1KB

MD5
112071ff00de034a6d5a4738d0112015

SHA1
f4dadedefebb237a3da3a8d38fe7cd1890f5e999

SHA256
caeff8215d14706bb3de55f6fe8811f22ae36bde28a619f48480596ab93514e4

SHA512
a784445f14a20d5ff5cff5afc7f3bf2cc8a11dd752a728e3d09ff10282954eb0018d90ebd621b98a07ca8e022adbe63643c11a7e72455ce6b899c1d605016dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr4577.ps1

Filesize
30KB

MD5
54fc2026c1acd7e2d7cbbfb74089587a

SHA1
81a2606e2965cb04936b1c244d4648666dcd36e3

SHA256
cf5e4292ec046a088f013e2864656764e7fb279a0dafd71d2b99eca79dfed604

SHA512
a84b0c19b472098737d980b9c6d7dbcf9dd142255f8b6116c48a6d07625709272573beef89065e2cf1326037149ec2abb3f1dad853024e7fed8fb0d50034db93

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi9A66.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 1.4.0.0\install\22AED8D\Let's Compress.msi

Filesize
3.6MB

MD5
77bea04d70f6f5231500001585e187ff

SHA1
5e17e94dffda7f555f8b4ba5d73a84db8f8f873e

SHA256
f7cdeb5e813b377d7d3086d5c4da0646b9cd98e170886cbe831d38099cbe5b3e

SHA512
548d1e7955a710964e484cdf1b0e639f80f2e9461cdc62e8999292e3dd07b9d9b6b88be6eae454c0c9456322d1a09110b7a998631b52d810ccec779a8839f34a

Download Submit
C:\Users\Admin\AppData\Roaming\Let's Compress\updater.ini

Filesize
126B

MD5
4438ee09c914fe748e3950807a1fb0fb

SHA1
b24b10032c57b48a6fea6c0930ef74d865c429db

SHA256
79b650ae8cbb4b010cd61238e62790ed2039ae18ef1d9c7646a5705954fb7183

SHA512
f38aaa9005e8bccf4b0e6fc67268b9de04b682e59117ca8264487c3bc15e7420a89a078c5f616d26b14748f001dbe6ba7dc7a18d38b84f17231213f5865f967e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 727554.crdownload

Filesize
14.6MB

MD5
58d6e317453f342f2385f5cdcee5747b

SHA1
31367bd1073d5d2e609313d99b883d0f1591ac3d

SHA256
307af128d05cf469817201a031d935db0e9890e9cb56257d8b2adba51e2ff4f6

SHA512
8beb92f76bacf157a58e856f8f217aa7e07b5b95461cd12f309f252d1cb2905691f5c81b000d6f5468c04dfcad623d656374ca33631ce488151316c2c0278ce2

Download Submit
memory/1360-849-0x00000000059F0000-0x0000000005D44000-memory.dmp

Filesize
3.3MB

Download
memory/1360-850-0x00000000065D0000-0x000000000661C000-memory.dmp

Filesize
304KB

Download
memory/1420-516-0x0000000008290000-0x0000000008452000-memory.dmp

Filesize
1.8MB

Download
memory/4072-448-0x0000000006860000-0x00000000068AC000-memory.dmp

Filesize
304KB

Download
memory/4072-443-0x0000000005FB0000-0x0000000006304000-memory.dmp

Filesize
3.3MB

Download
memory/4764-362-0x0000000004540000-0x0000000004576000-memory.dmp

Filesize
216KB

Download
memory/4764-402-0x000000006E790000-0x000000006EAE4000-memory.dmp

Filesize
3.3MB

Download
memory/4764-401-0x00000000071F0000-0x0000000007214000-memory.dmp

Filesize
144KB

Download
memory/4764-400-0x00000000071C0000-0x00000000071EA000-memory.dmp

Filesize
168KB

Download
memory/4764-399-0x0000000007040000-0x000000000704A000-memory.dmp

Filesize
40KB

Download
memory/4764-398-0x0000000006F40000-0x0000000006FE3000-memory.dmp

Filesize
652KB

Download
memory/4764-397-0x0000000006ED0000-0x0000000006EEE000-memory.dmp

Filesize
120KB

Download
memory/4764-387-0x000000006E620000-0x000000006E66C000-memory.dmp

Filesize
304KB

Download
memory/4764-386-0x0000000006EF0000-0x0000000006F22000-memory.dmp

Filesize
200KB

Download
memory/4764-384-0x0000000007E80000-0x0000000008424000-memory.dmp

Filesize
5.6MB

Download
memory/4764-383-0x00000000060D0000-0x00000000060F2000-memory.dmp

Filesize
136KB

Download
memory/4764-382-0x0000000006DD0000-0x0000000006E66000-memory.dmp

Filesize
600KB

Download
memory/4764-381-0x0000000006040000-0x000000000605A000-memory.dmp

Filesize
104KB

Download
memory/4764-380-0x0000000007250000-0x00000000078CA000-memory.dmp

Filesize
6.5MB

Download
memory/4764-378-0x0000000005B20000-0x0000000005B6C000-memory.dmp

Filesize
304KB

Download
memory/4764-377-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

Filesize
120KB

Download
memory/4764-376-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/4764-366-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/4764-365-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/4764-364-0x0000000004B40000-0x0000000004B62000-memory.dmp

Filesize
136KB

Download
memory/4764-363-0x0000000004BB0000-0x00000000051D8000-memory.dmp

Filesize
6.2MB

Download
memory/5180-753-0x000000006E700000-0x000000006E74C000-memory.dmp

Filesize
304KB

Download
memory/5180-765-0x00000000071C0000-0x00000000071D1000-memory.dmp

Filesize
68KB

Download
memory/5180-743-0x00000000053E0000-0x0000000005734000-memory.dmp

Filesize
3.3MB

Download
memory/5180-764-0x0000000006F30000-0x0000000006FD3000-memory.dmp

Filesize
652KB

Download
memory/5180-754-0x000000006EA40000-0x000000006ED94000-memory.dmp

Filesize
3.3MB

Download
memory/5220-926-0x00007FFAE14C0000-0x00007FFAE14D1000-memory.dmp

Filesize
68KB

Download
memory/5220-919-0x00007FFADAEC0000-0x00007FFADB176000-memory.dmp

Filesize
2.7MB

Download
memory/5220-957-0x00007FF6BCF90000-0x00007FF6BD088000-memory.dmp

Filesize
992KB

Download
memory/5220-959-0x00007FFADAEC0000-0x00007FFADB176000-memory.dmp

Filesize
2.7MB

Download
memory/5220-958-0x00007FFAE1560000-0x00007FFAE1594000-memory.dmp

Filesize
208KB

Download
memory/5220-960-0x00007FFAD7610000-0x00007FFAD86C0000-memory.dmp

Filesize
16.7MB

Download
memory/5220-929-0x00007FFAE3D40000-0x00007FFAE3D81000-memory.dmp

Filesize
260KB

Download
memory/5220-920-0x00007FFAF1F20000-0x00007FFAF1F38000-memory.dmp

Filesize
96KB

Download
memory/5220-921-0x00007FFAEDCB0000-0x00007FFAEDCC7000-memory.dmp

Filesize
92KB

Download
memory/5220-922-0x00007FFAE1540000-0x00007FFAE1551000-memory.dmp

Filesize
68KB

Download
memory/5220-923-0x00007FFAE1520000-0x00007FFAE1537000-memory.dmp

Filesize
92KB

Download
memory/5220-927-0x00007FFADA0C0000-0x00007FFADA2CB000-memory.dmp

Filesize
2.0MB

Download
memory/5220-924-0x00007FFAE1500000-0x00007FFAE1511000-memory.dmp

Filesize
68KB

Download
memory/5220-925-0x00007FFAE14E0000-0x00007FFAE14FD000-memory.dmp

Filesize
116KB

Download
memory/5220-934-0x00007FFAE0C70000-0x00007FFAE0C81000-memory.dmp

Filesize
68KB

Download
memory/5220-928-0x00007FFAD7610000-0x00007FFAD86C0000-memory.dmp

Filesize
16.7MB

Download
memory/5220-918-0x00007FFAE1560000-0x00007FFAE1594000-memory.dmp

Filesize
208KB

Download
memory/5220-917-0x00007FF6BCF90000-0x00007FF6BD088000-memory.dmp

Filesize
992KB

Download
memory/5220-933-0x00007FFAE1430000-0x00007FFAE1441000-memory.dmp

Filesize
68KB

Download
memory/5220-932-0x00007FFAE1450000-0x00007FFAE1461000-memory.dmp

Filesize
68KB

Download
memory/5220-931-0x00007FFAE1470000-0x00007FFAE1488000-memory.dmp

Filesize
96KB

Download
memory/5220-930-0x00007FFAE1490000-0x00007FFAE14B1000-memory.dmp

Filesize
132KB

Download
memory/5356-878-0x0000000007910000-0x00000000079B3000-memory.dmp

Filesize
652KB

Download
memory/5356-868-0x000000006F5D0000-0x000000006F61C000-memory.dmp

Filesize
304KB

Download
memory/5356-879-0x0000000007B90000-0x0000000007BA1000-memory.dmp

Filesize
68KB

Download
memory/5456-824-0x00000208E9EE0000-0x00000208EA9A1000-memory.dmp

Filesize
10.8MB

Download
memory/5512-883-0x00000215DC1A0000-0x00000215DC1C2000-memory.dmp

Filesize
136KB

Download
memory/5512-893-0x00000215F4900000-0x00000215F492A000-memory.dmp

Filesize
168KB

Download
memory/5512-894-0x00000215F4900000-0x00000215F4924000-memory.dmp

Filesize
144KB

Download
memory/5900-834-0x00007FFADCD60000-0x00007FFADD3A9000-memory.dmp

Filesize
6.3MB

Download
memory/5992-812-0x000000006EA40000-0x000000006ED94000-memory.dmp

Filesize
3.3MB

Download
memory/5992-802-0x000000006E700000-0x000000006E74C000-memory.dmp

Filesize
304KB

Download