d86a8563804e2bbc440b8666452963c4cf097d9b513f19f83196026aa240d960

Resubmissions

06-01-2025 13:12

250106-qfls9sxlgs 10

06-01-2025 00:48

250106-a5tbmszrcw 10

05-01-2025 23:43

250105-3qj4ms1pal 10

05-01-2025 23:35

250105-3lf67ayphz 10

Analysis

max time kernel
130s
max time network
146s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-01-2025 00:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Eulen Crack.zip
Size

103.1MB
MD5

7774980c78b1377b80bb477dc7b11604
SHA1

ced28df93050336ef72ea495ac5d895485e93a92
SHA256

d86a8563804e2bbc440b8666452963c4cf097d9b513f19f83196026aa240d960
SHA512

667b64a8a6fb01f5c52215a1ba4735200401a38cbafd8289b3d0bb836d3531fa0128760180c752bf7ee2ec3e2da59f1a852e4af54f6651d5d28d9b7b89cdcc2a
SSDEEP

3145728:g5SBBXXY/wqKlgLcANxfSvjQVplqTOe9r8U3I8GK:xBBnYoYC4liBfcK

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
223	raw.githubusercontent.com
224	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\32d104db-ae0f-457f-b0de-20d771ca7bcd.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250106005039.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3256	taskkill.exe
4292	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133805982190801350"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5204	chrome.exe
5204	chrome.exe
2216	msedge.exe
2216	msedge.exe
4380	msedge.exe
4380	msedge.exe
6416	identity_helper.exe
6416	identity_helper.exe
6964	msedge.exe
6964	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3268	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3268	7zFM.exe
Token: 35	3268	7zFM.exe
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe
Token: SeShutdownPrivilege	5204	chrome.exe
Token: SeCreatePagefilePrivilege	5204	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3268	7zFM.exe
3268	7zFM.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe
5204	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2936	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 1752 wrote to memory of 2936	1752	firefox.exe	88
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1368	2936	firefox.exe	89
PID 2936 wrote to memory of 1176	2936	firefox.exe	91
PID 2936 wrote to memory of 1176	2936	firefox.exe	91
PID 2936 wrote to memory of 1176	2936	firefox.exe	91
PID 2936 wrote to memory of 1176	2936	firefox.exe	91
PID 2936 wrote to memory of 1176	2936	firefox.exe	91
PID 2936 wrote to memory of 1176	2936	firefox.exe	91
PID 2936 wrote to memory of 1176	2936	firefox.exe	91
PID 2936 wrote to memory of 1176	2936	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Eulen Crack.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {230afc55-ad3a-4169-9bb2-da1cf4249d60} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" gpu
    3⤵
    PID:1368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2332 -prefMapHandle 2328 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcdb3c27-4cad-4758-b67b-73be5a231974} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" socket
    3⤵
    PID:1176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 1 -isForBrowser -prefsHandle 2500 -prefMapHandle 3036 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5975a5cf-e850-457e-aba0-2029115126ff} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:2712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -childID 2 -isForBrowser -prefsHandle 4080 -prefMapHandle 4076 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5941ac0-fc53-4b56-a68a-920b082ed927} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4868 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4892 -prefMapHandle 4888 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a2033f2-2ab0-4839-a8b0-c3f03ea0c7ff} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" utility
    3⤵
    - Checks processor information in registry
    PID:3596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5544 -prefMapHandle 5520 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33669065-f7ee-4196-9ccc-c50f2ad5b044} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:5816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 4 -isForBrowser -prefsHandle 5740 -prefMapHandle 5512 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {412e209b-b61a-4e45-ae59-9e7874c88f2d} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:5852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 5 -isForBrowser -prefsHandle 5800 -prefMapHandle 5632 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84c3fc30-1e10-4d0e-a81b-ceba92b59e0f} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:5880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 6 -isForBrowser -prefsHandle 6264 -prefMapHandle 6260 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44f08240-ad14-43b8-a883-6f128f997621} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:2868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -childID 7 -isForBrowser -prefsHandle 6256 -prefMapHandle 3932 -prefsLen 34614 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ce536ee-60e9-4199-8aa0-3b133908b834} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:1060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffcd47acc40,0x7ffcd47acc4c,0x7ffcd47acc58
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1764,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1772 /prefetch:8
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5140,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5264,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4752,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5356 /prefetch:2
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5416,i,1831069258944627863,4761151713296492095,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:1408

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x144,0x148,0xf8,0x14c,0x7ffcd52246f8,0x7ffcd5224708,0x7ffcd5224718
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:6324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:6332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:6240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:7092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:7068
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x274,0x278,0x27c,0x170,0x280,0x7ff7e2725460,0x7ff7e2725470,0x7ff7e2725480
    3⤵
    PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
  2⤵
  PID:6412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:6812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:6644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:6872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:6936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,14302908576361538613,7460480162986291237,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:5804
- C:\Users\Admin\Downloads\000.exe
  "C:\Users\Admin\Downloads\000.exe"
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    PID:6896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:3256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4292
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      PID:6764
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:6628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6488

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39dd055 /state1:0x41c64e6d
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9b87fe4c2b6f06e780060619b80349ca

SHA1
b27512a62cbfd30f54292fc1ed4c71b5b450d5bb

SHA256
e8806b58f7efd52464892632fd53e4efda9e934055a7a3df06c4999d4d242456

SHA512
0017e04675ffa88ea5c4b6cbfb537cf76d72d6ee3a3bd250a9fd14d9aa3a0b6579275a448b28a08a6933d276f046fc30208fa5aa2a3b1975bad6531d33b61d6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
ef4e343d538d8d2c17556b6c1706dceb

SHA1
0145d91598b349d61266222ddee58d46659ae312

SHA256
2b332197b110cacc99275a3275d81bf2340476c9e6817199218864947497512e

SHA512
5b536d7cd89668c01bac46f3118004404adfa4937b973efbddd96d1ba377d7f7ded7827b73ed608eec6f92b50ed8833f0ed1aabffb0af03a6a48277686d34fab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e01ecf25e19d4b7b226608a532247947

SHA1
3418ca8626b3b9cc0f8e41651dfb3c4f96a605b1

SHA256
0d6d63437647be4584bd10586b16385d3c41d68a157eb7b1a6caa15f45afb4da

SHA512
43ddedaabc62d1c6c43faf95c43d4a36c82584838c12cd54e04ec9124c458b36461ea59b60b1e9e5b4f5315fc7fe3c90943d0852cd15413e2c03d27bf71cf028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
eec63e8f7d5784a794d6005351cd5866

SHA1
b4726f83643d96ec3848c4363fc6bd31b7c795d6

SHA256
d1a7523cf39069a6f4c00bd74805594cbd501e8fea7f01cf8ed0f5e233af1508

SHA512
60720eabeedc1e834cd8cdbd4added2936ec8f2ae474726ef012b2f44d26df44cadf2c960015e758c2d67034e7054add7dd51b80da5a46fb1b060d84fd775042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a2eb5c1419468c5eaedfb3d796de6ac

SHA1
04d0e0d5a77a256aa37301de3f7a9e9047440328

SHA256
a543d316a1c04a700f7db86f17d3688fa2f63327b89c19264ea688977f0b95a2

SHA512
429befb2065de8d76b31f533b4d041e212adb3702065b84a384f705410b43cc285a12abd389e04d24483e176f72be9d53f202e163a379151934ae20f10ab64e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
946443b16826cf6a8971ac8d658ed89e

SHA1
0e828f04caa3f5d427252c0467939916c1bc1bd5

SHA256
6820aea4671a878d19e467dd7081e75419bd6d34cd76bfd60a3c8a06c882b311

SHA512
e2cfdd2ab67297dd0eeb6f0548ddf99ed21190eea0516b9e6c0feda22add8233fa752011785c5b12d42c7a07d32a918eb65881e646fd3ba0598b0d3338374d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f9ca22bbec5bd05738c42199e8602c9

SHA1
028894067966c84adce31b8b72007a8a9ce07240

SHA256
5e4e1df062cd2a6445c632dbb313344cf3b660b5e2a3e0ffa4f8d58bdec96c08

SHA512
f3e6ba8c7beb7832a5de1d368a5d10822ae70dcf26c456cb2c3375a14aa2b1223d58933930e259ac233f3512caa8af0d62c0a62b1cc86bacef7d52089ae3db90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68484dd46e4e41f8ade6683c7115da8b

SHA1
7b8a941c8cd2ca19a08faa30334811fb3d2090e9

SHA256
997ff4bad9d964b78f9c5d55c78c3dda583aadba3425a6cfa88d483db08d8871

SHA512
54b2596f9a992fa59b1b898a025d55ed4141a9894c47edc790e94d687d093d45c50aa0242853591243f89a78db2a0b884e7f20e7021a78bf5c5a31bace71c03c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7840e57461b7a222d7c91f392463e93f

SHA1
3a2908a4658b4837a6654d0e6ea2e57959a81f64

SHA256
8370e0e2f5da4b5078fd2c5fd6a8e8bf0b91d9828382de25da75a3aaa2e3dc3c

SHA512
28d28c36fd8fa59380b767a835dda3864f597b0f3ef7d9098ca6645f7cb5e0289065b99cfdddfdc43294f0e594820b3a3f356ea1fa97ca7fc9b279e11cd03311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
203baa61d288eb1c711d55b2c4b68be5

SHA1
cd7197b2de305b79f409bec7a514f4e1fefab283

SHA256
215328b882ffe475197c5658ff68f10206716d6ddc197635972db815171ad5df

SHA512
dff29f86edb4d05fd6d745c622aba79cab6ebf7125d2869debe0b7722798acfe345ff5bfb3c325da50bff42ce1ea49a96cfe91fc2ae2152683e8e13bd7485fc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bf2b110c58c91eacf8a60ed692bb1d38

SHA1
66c11d0f648ff0d25ad69250edc149f901267fb5

SHA256
6b18d6a7fa2f409ee563e5efc60e9b85d264722ae816cda3868fec1e2a0ac998

SHA512
ec3abfdc3e2709259ff4171969bdf226e248d6aed69099308d0fa8ce787cd1e045449c8539112b43a35b5b4685f2c9c6f3d5ef2262744a26b6049323aeab671c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
b334e22d9b343d609b9362e66ba86550

SHA1
f6524387608be1defa41b4b98bc413c19e37fe18

SHA256
b12a7498def44ef371a8c84b67d8cda1e5431c3789210af90db491691eb39116

SHA512
cab4db1b7641546add110e53bfb95ee861a908e36cf8834c4fc297247649d3ce6c454a0f0a4502f20e97d0f48e01aa61ea0633f1fe8e0dde638ac1f0a0ae8e1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
65f2781a18861b019eefd2a8677498c2

SHA1
9903bcd9aa2fbd96447729fe62fda738d20431b4

SHA256
762c2de4eb585dd92c1e4cd3026390686da545afa2eeda3b2d1c6f0c04c3b642

SHA512
3b2f2bb54eb2eb1a31f8a6c1b5a5217d756fe84f08221719ac51c2f0b7cb78ffbbacbab3a4799910aaff299e9b5ed344ce82499427f09f35d2d4cb2eba944cac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
24a4a715d74861cc67b5d2ca1e164656

SHA1
26fb746c7cae5c2acb9de0debe13e8b127e9d520

SHA256
69f0faf6cd0615d851ac5b1b0ec8062ca160945127961d69090f87772438bcbe

SHA512
e1be209cb40ab40d85e54acbc5bfdbf6685df1c7d92a6c26df1c3336039e74461e9f2378c54c2d20371e5b24c3b4f0a70afe9fb84e503436293368ee6d3a659c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
77fe0ce7e1f9c9ec2f198ad2536bf753

SHA1
2a366472f227a24f3c0fba0af544676ea58438d7

SHA256
c69ca7653724e1e9e52518de8f4f030813e1431223d5b6ad3270531d8df89f00

SHA512
e8d4e17b93fb19364eeeffc5b1016fdbe566a8b8d702005291ff263367840b8ccc76290d8a3ad457d40fb5d1c2204bdaa5acba9374236c77935ebb0fe597a095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d57a449c855203411a38d5ae80bc24c

SHA1
b361032efa556fc4557bbad595ce89c4b0c13dba

SHA256
bb59bab10e406cd91bdfe4fc0e8ce2817a6ca32fc731ccb3f90b6b79c1a46c21

SHA512
8d4244dc9c0e9518cd71aacaa54d43c1e2d74519e3e692160b2b040d00aac25c4ba7a5705391e50957d46c8c711dc07604effea3bc06c8956ecf717f61008da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8c0114f1cdfd299817e974dd0849aadc

SHA1
fd51a6ec8563c8674998b5f777c2cd7cf2f1bc23

SHA256
4f3302560114c35eed5c51c8e2096965bbb5b93c2c1b04123edc946cf4c347a3

SHA512
8a80ebd7be72ff7e2e30a02a1f1e643aabe6415181d0307cc2d74e07c0cd5125744b861ab52a17ee1274702fc288f5e5c20324a845e8dd3c008255d4a48a5f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
4c3dc5928b5cdbf6b8e5f34d81b11144

SHA1
fdc6febc7e1ccf54c55f13283b8ddeaade65238d

SHA256
3980055c6540fca50c215544063f8eb58061dc139dec26820e0bad5842809aee

SHA512
4c31f76e97d0dec8045f9238370260b1565e752110abeede5b13da7c9e01c77e0567d4d55a96cf6502dd55580d7f6f7d832687ca6552b8f97168e9599fbefe2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc1dd131763e1f8a06ce02fca9f6a5eb

SHA1
942ed935b40e8110f95c5d8cda453a8b4138cdd5

SHA256
b6861b89f7d76e807017dfd847084cafc337e2f6aff9fff5974eff5f5e3bacad

SHA512
ae5b0062a76f687b7462026a81b33b11bfe0a3b780b7148154b5a7872ec96facc0a847956a0f6bab1948d1d9823f8c3039220bfce2a97105b877a84d99bc0571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8479d724c19ece39198406dc5182a800

SHA1
7a9720b458136d8ee442408da690c81454a96192

SHA256
11c4fdb73c6fa8e0114e915baf3eab90bcbb0279ba2b6529cd2f4805d9c69c8f

SHA512
4a7dce052d5bb43720d04ae2ff2cb09aab80c0f050aab5026275a37eccfe78155409adf39d2ecf3e960c9cade367076ca85def1c269c91a59d1bb724efc79444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c2323da395711bee73b67c68d7c6b91

SHA1
9f2bf4d7445347fcddb626d6a7d60e42919abb18

SHA256
348a0e32452fd40b875406f0925f9c19ea880edbcccef7834569d345d5894ba6

SHA512
d341c7fbd9e712adc08c755cfe52d9c12cc2755d338d1103556cec971b5c5a46d10648b4adff40abb565520cc30ae6f07ecb7687650e1801fb07d5764b44209f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
87a0dee0b43f13f261c31118ae57183d

SHA1
26c88a0b02ed4375444a0e84a87a7184365ddfed

SHA256
ddfb247fe301fad2993d27a1c69922086ee33f25c147f15f219f466823e90463

SHA512
1f58a2272401e653518673043084faae187b424790c3c4a402ae2fc26c012e9cb23926291a7ae74e4fa900b4d27ab0048953b33c6044a3ec1251164cefffec41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9b2345e425acf05ffaa1dee20d4fdbe7

SHA1
aecf86c5a5d24b77aea68f6bc99e7f42c9048bc3

SHA256
1eb6cc0eab0b222c1111dba69db74281366b9f5dc9f8707ff215b09155c58d14

SHA512
647fc97d693b709ef3b0877b6de1d4f9f4e1085d35b809d27360ede1be52b37f9a967fb80ce43be35d60b52409c7e4036376d7d931c96f0660a2eeffa58a8208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
77006dacd174a80aa9b867f95d5df337

SHA1
7078db638c72ee5cf4ede7911e4421cc4ae103c7

SHA256
5e22af33da2ed3f3197d9c899a8fec5e2716b54be019c484cd59960da8f143d9

SHA512
e8268ed24af38eaebda4cd864e5580ed1bb63e3e4b72a27fe3404baeb7c8c944a7e79282712ac9d0b33f0123654dedb1984633d6ae2a5b412d6536e2b0389bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd97dd8ced8d28f66030d9bfe73c06c8

SHA1
06c0ef87db0124001c1c7dc40e308e4352c10cf2

SHA256
1f6c5498c4a4f15103a07970922f19abe4cb4352be5887443105bfd2c6b52666

SHA512
533e73daba007edb4deff265757e15ec95f084c55ee4de8c174a9b1b3ac72a54bffbf72dd400fde37e25704c7c0435f08d2f35b14d3a663ac06df46bf68db5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6c1d1a8391aab564684f64f2735c2ee5

SHA1
ed9aaa58d11b7a8136bb5f97b27d82568c17e26c

SHA256
dca5212245de6e3995e3ba2cb652c30aafac099a3f609149aa4674368eb268fd

SHA512
a11ee0b600f9f6608eb67815e6351fc14bd1e87e58d1798a3d987260c94934d248eb16e55933dedad3fdbcb4ee420f5c111e9ed0aa3373487ba43dac95d9124b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594ec2.TMP

Filesize
1KB

MD5
b31ef0023ec7bbea12970a6e4aee3c17

SHA1
c33ec5e7e65d6cd8f8dc037670015f69a11afd30

SHA256
eba763c45497c19d977eec956f3d8ab47c7a7e4f3923d77c38de3b6df10b539e

SHA512
223bc69ad2096545cff24e6f6540d9f516cfb9dd7b9effb63f168bad0be3d0c54d09128af5cefae0d64557599918a23b21f9e06f34a185df27f4429f178490ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e578f2fa-5e80-4544-8154-6cc442acf742.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
08a4a9c3f35fd67bd993599e221d0250

SHA1
dd5d23a3270a453f830ed43bc380f97562051ac1

SHA256
186aade972a6d0e6a1eb97e101da27806d3c5a450682a9d8845cc4a0d04b2839

SHA512
75f21c1f1a1527b97052b2d9c980018136cf53891ea504f3bbb555b314f8a3495a5de7e7cc5b0425110d90016bd196f1e8fef67c19c10e39829d7ea77091e1f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a56d41ff76e70a6ced8e255e3c453ea7

SHA1
dccb02c53559c2a4f1112d60aabbef6eade5f1ec

SHA256
718ae47e3e207b509b86222566908de49dfcfa28bfb43bc8b1e6c9480ce65bfa

SHA512
4854c6e253ad3de9c0d1bd434470089fe545b2f85fc68cfcdc6975e57a9037bb6bfa02b80a4388947acbd72cf3dfa855fd9a8cf31bb88a4d78fc5e96383e8830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2261583d16deb42da0e4c3dc0b173b73

SHA1
27af278243f0cd3053e28f9de7875329eecf7511

SHA256
eeda3ba3a3d111e5bd160037ba2bbb412444cbc9bdddbdd969711d6cd6f14177

SHA512
af59f09c6e5d9333c44a4202ac2d5009f13c8f3db3640f905eac5ff9f275f281cf16ac31249c3e212d2b0b5fe87948e4c4263f372f97fd70645e55dd340a3220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
65126d4e53073195a8ae23a0805a1e42

SHA1
c31357fc209ddd8efeb822dcdc15dcd7066f2c0e

SHA256
4a62b19353b193e910b0c1d8c95aab48563542cec0c3acfbded8ddfd4a7a5f54

SHA512
cc0919a52f54913100f0efd64119d0e11aa9347fddadad1923c0417701f04a000edca50720862e45332d669ea540bac552bc7924abab8ada0d60f69d028cb363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
de708a6fced82eac2670ef85188abbbe

SHA1
6e3445aaec4c000a9371672d454a0ae5a35f7631

SHA256
a01ff1d989e2904396fb5f44488dcc4dff4cbb66a328c5c062f706e35be129ce

SHA512
0d27c9dcf78c04f5d43e8b198ace4d1c005691673f0d9d44f5fa10ebcea1812635ffe5f80dca4b3c37f387a7d7c6229a386c727a5bb07ba039c81618aa240464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9enwga8g.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
a9686e1c854d9530df237e4c4bb54992

SHA1
f207bf0cfd1cce4b87ad42c12e0463373f2dce67

SHA256
53a8e7af50fcfa8627a8358cafd607492c98a796718aaf311a8c69dc2b46bcd4

SHA512
b2e4a100607394758f1c725e0fc304246a2de05c15411cbc37976dbd858867f5737e348ed6efbf32b8056dac364e29cf9f0c0fc7447dcd8c2cf8c73f115f324a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9enwga8g.default-release\cache2\entries\B12380E59E366D551CA91542483B50A71D3DB16C

Filesize
224KB

MD5
634c0a6370a066e985382ed249b08677

SHA1
485ac6f77bc3b8826f52d9c4676f9f273eacc503

SHA256
5db68c3510941c61a3ebac0a0631533d5588495ec75d7632c06eee3c26265655

SHA512
6a736cd22b1c7f5e8431dba05e028db71f978b9cd73623a610d0ec113bbb184917c8955200eed2a91f37bd87c0fa643ad70c1ade6a5167cdb851ff3207b8cd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5204_1063177284\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
a02f265ed90cd3585d85fbb2daae9c03

SHA1
81915983e6a80c75332477ca36b76c5327c4dfe6

SHA256
c8355359c974fa823a27260d389addc388eab02abec58cfe0aa1551c03906bd3

SHA512
f92733a0f024f9312debbe4fdb2ab823d5ce91ad3d5832f03e26015b8abb400884719b6e480609862f5b4a8bebe264571971be43d9fa1eb6e2e534532ae5f253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
0877c1b2893a75df7806424b783d26bb

SHA1
26c8d94a96db30ed98befeae0d85f2aa7b419cb8

SHA256
63dee6e3eeb90c928d47496629615b9bdb42e848e8a0b86ed067e7f3f67194bf

SHA512
50deb6a4ecb2c87cdacf4697eac05989a685415072547f3eb1425c74d28dd4ccd7f12307b0371c4a16ee8dd12d6008aa492ecc0eef39f845f6aca31bed61b3c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\AlternateServices.bin

Filesize
7KB

MD5
6d7082dec2ea520bd46c2d8d5494def6

SHA1
9009706ecf3803f60de9cc2d71f0149e3d0b85d1

SHA256
fd232f4028a09afcaea2da871860069e77f7b4de8db1d9c95ae71af1e25bb37b

SHA512
da8eb46924359c8c53d1449238d5d8e707c2ea9672878ac85f1cbc2aefac133236aef1b8ac0c1ae052d15baa897da532c6af3265a96939c5548b11aff18b1426

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\AlternateServices.bin

Filesize
12KB

MD5
654cf5e4304d536a74cece9d54b30b08

SHA1
2b3ce2aae1a41af571d8c0887feb2aa61bb4da6b

SHA256
4581f8aae79c6d90d4606ac5b3ab1cf5baa51760e5a3661707565a0fc146e34c

SHA512
508f385a58ea926adc5f3243a4c20efef85b967b4bb60fcc6670f88f86e728d50e9074738ef51cf893905b014022b5ee45cbbb58f002c1805285abda3e891ca1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
94d70e4b232904a4e0976bc6af7d9ede

SHA1
ed8cf4f58dab5666043f9b227169ebafb5d76518

SHA256
14c9a87bdc94d418c1a8ccb5f1ff90b4d59dac606f9819cee242abafbcc6e730

SHA512
a2c1c1d479317feb1a23cce1ffe02151a54f4774a87052f7e9a6bb8f663f037dad123843e44b8e9b8e9839ece5a0950436a0af057083d830d33728af099493fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
26KB

MD5
355a90842a07b3564cd4d7de36ed3f66

SHA1
4b10dfbdabebc039591b1804891cf82b8f06a22f

SHA256
ea3a45ba18492e104d580d704dee45d8750c5106944c75a7a141bc0e3e1992ed

SHA512
c059d00b4223428dfbb8482ed2c4c18fa74036163ade7943ede5df10f93f8470026902457c512db3933bbbfd8d454eedd63e5289e6bc2383ab4b85077594d1fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
28b72c2f6f0fbe21decd9d2bf99602ba

SHA1
635a314a450a6725466f71e181ce268f9f34e35e

SHA256
a3fa9ca3e6a0fcaf468bac2eba9bf59c7609ee7cbfca74e83d3675b2d2ea4a67

SHA512
dc0c9f0f1a286d7eed36575e55327a86b673e3c9dbc0e95a8b5625be3894860ebfc58e1be7a010a5d2687aa32f10a5529e7d72870f6d7c430a6afc25287a93d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
e82e3303d5483a1acfbcf7d1335f0060

SHA1
a4bdf3627512adc0921f2379f3650c78a3a8c13f

SHA256
7646c38b4ad2647f5e501616aec87055ed0179d3e768f80e12f90382533c619a

SHA512
4f6de4f47488d9c6189d17148bbbbd0fe7267745108e9021b87756409ded917c133acdb0e8a6378417bf331f1e3fe51082180131255a99511b6888484aabf024

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\0954345b-4483-47e0-94bd-def4b028d688

Filesize
982B

MD5
8c77f3f95a430fcdda79fdfd5fd82fc9

SHA1
f5111b00cba58e04d653055aec25e2d807c1c879

SHA256
74e0c18c8f965614cd744f0e36a18c9c41258c1c7025ef01c8e4ec8700280a58

SHA512
ee4a27d55834c9fae88bf265f43bf559bdbee35da87cb218491705bbcea1b66e29c8ed8e1b7de6b56dad8c3ea4157bd8f8f993770f21b182a41cfdcee4bed5a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\823817ac-f1b7-4bef-baf9-5c6170bb5776

Filesize
659B

MD5
e0b524b2eaafbdd125798f6e919d13b5

SHA1
1de2004cf69b85ebe659a4fb99c338df9420f3a6

SHA256
b172ca8c88eadd1877e4f2f3e670c979016c1c16e4834c9e97bf19a7a841dbd5

SHA512
7529f8e0f08a07fa88eb5360a4435e88b1fd223721a085ed296accf47443981aaff3615ab6dda9bfbea511275e15d0a185c52b6ea27f61b2227dac6bd6ac2692

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs-1.js

Filesize
10KB

MD5
cda4b7595c840b328756b284648904ec

SHA1
cd864b0d9618da103ae6cd567c3ff77e7242d58e

SHA256
f9b5a2e78c2c9c6acdc59e0037f5f086902367470b8d669ff0732fce1fc46054

SHA512
9f2ca0e8ad1c07fabba7088e5cb80067740a812a92af7e9715b7a550367f91db9aa3c3ab0808f614cbdb86ae52451fec25e18c3dfc6688f9f0dd039643d7972c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs.js

Filesize
10KB

MD5
6fb43919cb6fa66fb7a60e853c412a2f

SHA1
fed950ffa9804ad0c1c9af6a9488419a5f4f6608

SHA256
5c12ce6217bde83c5a0d346c6c3aefec8137a30b44da6080cbd28153f2c4df47

SHA512
07843eb05e5d086a3291c7f6646a26d6fc217bc91337b3d2d38f1f19033f16b6ba91adb080cab5ca0aebcd4b8b4c20dbf642b86d4ea1f1a091e067404644732f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs.js

Filesize
10KB

MD5
33b1605c996b727804faf6bcf53369d5

SHA1
b705e973644ff57886bc359b2b6405a693de9c17

SHA256
963286fc2b44dd2a042482ad8cc638be20b0f1290870cede7c6d6d5a86b8069c

SHA512
1cf55fd4efa44860c9808f35c72e1966dba4dccb2f51d01eac30599d9238bd48387672ba05c2216565e4828fc6905b9f1598bf0045405203b5b95d933acf2b43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f0aa1120a83a56d7429bdbe5d4c14948

SHA1
0229715ad494598bffaa0eb0868ec407323fbfb5

SHA256
ac48d9bd6e02b80bf5e1e55099d7759c0281c971a28992e91d7dacd41cfe947f

SHA512
971833ba2c4a3d7cc97b29e67c08565c92c71f87c826fa03101b8d86fab835ac9140428e2c6ad99d8a1d34709ac44bfaf8c68b7866568db7226b222845257eb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\sessionstore-backups\recovery.baklz4

Filesize
18KB

MD5
3d1db7d447da03ee2605f22e6effd116

SHA1
da3e4234a37a162c9b08e7d4a9f202a8d584428b

SHA256
de6f37352472bc7eb5dd1047d1f5d915fe150077966475d2d2e041031673cb66

SHA512
ac70534a3a06fc8a64a2c08709f5284b7f29c6d7398e63cb8c9674412b3e4d7b7d85fdfc856a4144b1675e5abedb48dfa9def73b5ff904722c2365c4431345d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
ff886da020f2094a4cfb78ec5d664e26

SHA1
7e2074996dcfc86d25820bf1be064d1bc24594b4

SHA256
778309f1e4fab36c4fc68d0d98344286025c1957ec2aab23b0bebcec8dbfac93

SHA512
174861abd737dc5fe6ed7c3b6e7c1b0a0241a5ca9263c8b6550e0cf75677817adc760eaa77aea4d592595188bfbe38cc872a8f75087db5c71f38dc303d8d3d5b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 220193.crdownload

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
memory/3604-1613-0x000000000CCD0000-0x000000000CCE0000-memory.dmp

Filesize
64KB

Download
memory/3604-1620-0x000000000CCD0000-0x000000000CCE0000-memory.dmp

Filesize
64KB

Download
memory/3604-1621-0x000000000CF90000-0x000000000CFA0000-memory.dmp

Filesize
64KB

Download
memory/3604-1619-0x000000000CCD0000-0x000000000CCE0000-memory.dmp

Filesize
64KB

Download
memory/3604-1615-0x000000000CCD0000-0x000000000CCE0000-memory.dmp

Filesize
64KB

Download
memory/3604-1616-0x000000000CCD0000-0x000000000CCE0000-memory.dmp

Filesize
64KB

Download
memory/3604-1608-0x000000000BE80000-0x000000000BEB8000-memory.dmp

Filesize
224KB

Download
memory/3604-1609-0x000000000BB90000-0x000000000BB9E000-memory.dmp

Filesize
56KB

Download
memory/3604-1592-0x0000000006680000-0x0000000006C26000-memory.dmp

Filesize
5.6MB

Download
memory/3604-1591-0x0000000000560000-0x0000000000C0E000-memory.dmp

Filesize
6.7MB

Download
memory/3604-1618-0x000000000CF90000-0x000000000CFA0000-memory.dmp

Filesize
64KB

Download
memory/3604-1617-0x000000000CF90000-0x000000000CFA0000-memory.dmp

Filesize
64KB

Download
memory/3604-1614-0x000000000CCD0000-0x000000000CCE0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads