Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
18-02-2025 08:12
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/bd91d85sr1y0p4c/S0FTWARE.rar/file
Resource
win10ltsc2021-20250211-en
General
-
Target
https://www.mediafire.com/file/bd91d85sr1y0p4c/S0FTWARE.rar/file
Malware Config
Extracted
vidar
https://t.me/b4cha00
https://steamcommunity.com/profiles/76561199825403037
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0
Signatures
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral1/files/0x0007000000027fbf-705.dat family_vidar_v7 behavioral1/memory/2736-712-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral1/memory/2736-877-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 -
Vidar family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2196 powershell.exe 2956 powershell.exe 1536 powershell.exe 5732 powershell.exe 5944 powershell.exe 2328 powershell.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 214 648 S0FTWARE.exe 188 5440 Process not Found -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2984 chrome.exe 1496 chrome.exe 3304 msedge.exe 4292 msedge.exe 2928 chrome.exe 4292 chrome.exe 3556 msedge.exe 4356 msedge.exe 5524 msedge.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4002483208-3304649696-3162246273-1000\Control Panel\International\Geo\Nation S0FTWARE.exe Key value queried \REGISTRY\USER\S-1-5-21-4002483208-3304649696-3162246273-1000\Control Panel\International\Geo\Nation thjsefawdwa.exe Key value queried \REGISTRY\USER\S-1-5-21-4002483208-3304649696-3162246273-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-4002483208-3304649696-3162246273-1000\Control Panel\International\Geo\Nation bvuksefawd.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 15 IoCs
pid Process 648 S0FTWARE.exe 5496 thjsefawdwa.exe 2736 bvuksefawd.exe 4944 setup.exe 3284 setup.exe 2228 service.exe 1560 setup.exe 3224 setup.exe 4996 setup.exe 1820 setup.exe 2548 setup.exe 704 setup.exe 3612 setup.exe 3240 setup.exe 324 S0FTWARE.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4002483208-3304649696-3162246273-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\JIARH\\thjsefawdwa.exe" S0FTWARE.exe Set value (str) \REGISTRY\USER\S-1-5-21-4002483208-3304649696-3162246273-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\JIARH\\bvuksefawd.exe" S0FTWARE.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 213 raw.githubusercontent.com 214 raw.githubusercontent.com 294 raw.githubusercontent.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\telclient.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\pt-BR.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\it.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_proxy\win10\identity_helper.Sparse.Canary.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Content setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\manifest.json setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\TransparentAdvertisers setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_proxy.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Entities setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_200_percent.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sr.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\km.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\LICENSE setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\en-GB.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\Social setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\vccorlib140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sr-Cyrl-BA.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Installer\msedge_7z.data setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\gu.pak setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Temp\source4944_387610324\MSEDGE.7z setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\gd.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Advertising setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\am.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\pl.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\MEIPreload\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\microsoft_shell_integration.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\v8_context_snapshot.bin setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\es-419.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ru.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\mk.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msvcp140_codecvt_ids.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\CompatExceptions setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\icudtl.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\is.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\zh-TW.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\edge_feedback\camera_mf_trace.wprp setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\learning_tools.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\am.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\et.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ta.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\onramp.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sv.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ca-Es-VALENCIA.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\mr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\Cryptomining setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\kk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe.manifest setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\dual_engine_adapter_x64.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\edge_feedback\camera_mf_trace.wprp setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\id.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\mip_protection_sdk.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\show_third_party_software_licenses.bat setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\Cryptomining setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\mt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\canary.identity_helper.exe.manifest setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\tr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Other setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\kok.pak setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e304fff1-be39-46e3-944c-418c98dca14d.tmp setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\or.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\mip_core.dll setup.exe -
Drops file in Windows directory 36 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvuksefawd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thjsefawdwa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5308 MicrosoftEdgeUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bvuksefawd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bvuksefawd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2380 timeout.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133843400250089269" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" setup.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationName = "Microsoft Edge" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.html setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\URL Protocol setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.htm setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\notification_click_helper.exe" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ = "IEToEdgeBHO Class" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.shtml setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\ = "Microsoft Edge MHT Document" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html\Extension = ".htm" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\Application setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document" setup.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2348 schtasks.exe 5620 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2556 msedge.exe 2556 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4536 identity_helper.exe 4536 identity_helper.exe 5580 msedge.exe 5580 msedge.exe 5732 powershell.exe 5732 powershell.exe 5732 powershell.exe 5944 powershell.exe 5944 powershell.exe 5944 powershell.exe 2328 powershell.exe 2328 powershell.exe 2328 powershell.exe 2736 bvuksefawd.exe 2736 bvuksefawd.exe 2736 bvuksefawd.exe 2736 bvuksefawd.exe 2984 chrome.exe 2984 chrome.exe 2736 bvuksefawd.exe 2736 bvuksefawd.exe 2736 bvuksefawd.exe 2736 bvuksefawd.exe 4496 msedge.exe 4496 msedge.exe 5572 msedge.exe 5572 msedge.exe 5572 msedge.exe 5572 msedge.exe 3556 msedge.exe 3556 msedge.exe 2736 bvuksefawd.exe 2736 bvuksefawd.exe 2736 bvuksefawd.exe 2736 bvuksefawd.exe 4996 setup.exe 4996 setup.exe 2196 powershell.exe 2196 powershell.exe 2196 powershell.exe 2956 powershell.exe 2956 powershell.exe 2956 powershell.exe 1536 powershell.exe 1536 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 3556 msedge.exe 3556 msedge.exe 3556 msedge.exe 3556 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 968 7zG.exe Token: 35 968 7zG.exe Token: SeSecurityPrivilege 968 7zG.exe Token: SeSecurityPrivilege 968 7zG.exe Token: SeDebugPrivilege 5732 powershell.exe Token: SeIncreaseQuotaPrivilege 5732 powershell.exe Token: SeSecurityPrivilege 5732 powershell.exe Token: SeTakeOwnershipPrivilege 5732 powershell.exe Token: SeLoadDriverPrivilege 5732 powershell.exe Token: SeSystemProfilePrivilege 5732 powershell.exe Token: SeSystemtimePrivilege 5732 powershell.exe Token: SeProfSingleProcessPrivilege 5732 powershell.exe Token: SeIncBasePriorityPrivilege 5732 powershell.exe Token: SeCreatePagefilePrivilege 5732 powershell.exe Token: SeBackupPrivilege 5732 powershell.exe Token: SeRestorePrivilege 5732 powershell.exe Token: SeShutdownPrivilege 5732 powershell.exe Token: SeDebugPrivilege 5732 powershell.exe Token: SeSystemEnvironmentPrivilege 5732 powershell.exe Token: SeRemoteShutdownPrivilege 5732 powershell.exe Token: SeUndockPrivilege 5732 powershell.exe Token: SeManageVolumePrivilege 5732 powershell.exe Token: 33 5732 powershell.exe Token: 34 5732 powershell.exe Token: 35 5732 powershell.exe Token: 36 5732 powershell.exe Token: SeDebugPrivilege 5944 powershell.exe Token: SeIncreaseQuotaPrivilege 5944 powershell.exe Token: SeSecurityPrivilege 5944 powershell.exe Token: SeTakeOwnershipPrivilege 5944 powershell.exe Token: SeLoadDriverPrivilege 5944 powershell.exe Token: SeSystemProfilePrivilege 5944 powershell.exe Token: SeSystemtimePrivilege 5944 powershell.exe Token: SeProfSingleProcessPrivilege 5944 powershell.exe Token: SeIncBasePriorityPrivilege 5944 powershell.exe Token: SeCreatePagefilePrivilege 5944 powershell.exe Token: SeBackupPrivilege 5944 powershell.exe Token: SeRestorePrivilege 5944 powershell.exe Token: SeShutdownPrivilege 5944 powershell.exe Token: SeDebugPrivilege 5944 powershell.exe Token: SeSystemEnvironmentPrivilege 5944 powershell.exe Token: SeRemoteShutdownPrivilege 5944 powershell.exe Token: SeUndockPrivilege 5944 powershell.exe Token: SeManageVolumePrivilege 5944 powershell.exe Token: 33 5944 powershell.exe Token: 34 5944 powershell.exe Token: 35 5944 powershell.exe Token: 36 5944 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeIncreaseQuotaPrivilege 2328 powershell.exe Token: SeSecurityPrivilege 2328 powershell.exe Token: SeTakeOwnershipPrivilege 2328 powershell.exe Token: SeLoadDriverPrivilege 2328 powershell.exe Token: SeSystemProfilePrivilege 2328 powershell.exe Token: SeSystemtimePrivilege 2328 powershell.exe Token: SeProfSingleProcessPrivilege 2328 powershell.exe Token: SeIncBasePriorityPrivilege 2328 powershell.exe Token: SeCreatePagefilePrivilege 2328 powershell.exe Token: SeBackupPrivilege 2328 powershell.exe Token: SeRestorePrivilege 2328 powershell.exe Token: SeShutdownPrivilege 2328 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeSystemEnvironmentPrivilege 2328 powershell.exe Token: SeRemoteShutdownPrivilege 2328 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 968 7zG.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe 2984 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4840 wrote to memory of 4984 4840 msedge.exe 84 PID 4840 wrote to memory of 4984 4840 msedge.exe 84 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 3612 4840 msedge.exe 85 PID 4840 wrote to memory of 2556 4840 msedge.exe 86 PID 4840 wrote to memory of 2556 4840 msedge.exe 86 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 PID 4840 wrote to memory of 2948 4840 msedge.exe 87 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/bd91d85sr1y0p4c/S0FTWARE.rar/file1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb504946f8,0x7ffb50494708,0x7ffb504947182⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:82⤵PID:2948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:2620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:82⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6160 /prefetch:82⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:12⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:12⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:12⤵PID:3264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:12⤵PID:896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:12⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:12⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:12⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7604 /prefetch:12⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:12⤵PID:5352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,189687162811226845,229543998381649303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5580
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3296
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1928
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkM2RjEzRUUtRDlFOC00RThBLTk3NjAtNENFNkIxOTZBOEU5fSIgdXNlcmlkPSJ7M0M2RUZERjktRTZDQi00MjgxLUE0RkYtODhFQTc1ODgyQjJDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OEM3MzY4RTMtNEU3NC00RTc4LUIyREUtMzk4OTE4OTgxOTU5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcwOTQwIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5ODQwNzIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA5MzY0MzU2NCIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5308
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5844
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap27798:78:7zEvent293101⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:968
-
C:\Users\Admin\Downloads\S0FTWARE.exe"C:\Users\Admin\Downloads\S0FTWARE.exe"1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\JIARH'"2⤵PID:5704
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\JIARH'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"2⤵PID:6132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"2⤵PID:2096
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
-
C:\JIARH\thjsefawdwa.exe"C:\JIARH\thjsefawdwa.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:5180 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5620
-
-
-
-
C:\JIARH\bvuksefawd.exe"C:\JIARH\bvuksefawd.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2736 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2984 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb3ce7cc40,0x7ffb3ce7cc4c,0x7ffb3ce7cc584⤵PID:4916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2076,i,5753694471003042020,8934240537624617400,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2068 /prefetch:24⤵PID:1736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,5753694471003042020,8934240537624617400,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2252 /prefetch:34⤵PID:2472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,5753694471003042020,8934240537624617400,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2424 /prefetch:84⤵PID:5920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,5753694471003042020,8934240537624617400,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3208 /prefetch:14⤵
- Uses browser remote debugging
PID:2928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,5753694471003042020,8934240537624617400,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3376 /prefetch:14⤵
- Uses browser remote debugging
PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,5753694471003042020,8934240537624617400,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4500 /prefetch:14⤵
- Uses browser remote debugging
PID:1496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4620,i,5753694471003042020,8934240537624617400,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4732 /prefetch:84⤵PID:5528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,5753694471003042020,8934240537624617400,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4700 /prefetch:84⤵PID:5244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4668,i,5753694471003042020,8934240537624617400,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4848 /prefetch:84⤵PID:5576
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3556 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffb504946f8,0x7ffb50494708,0x7ffb504947184⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,11873839060605383122,699418900267387673,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:24⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,11873839060605383122,699418900267387673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,11873839060605383122,699418900267387673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:84⤵PID:3004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2220,11873839060605383122,699418900267387673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:14⤵
- Uses browser remote debugging
PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2220,11873839060605383122,699418900267387673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:14⤵
- Uses browser remote debugging
PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2220,11873839060605383122,699418900267387673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:14⤵
- Uses browser remote debugging
PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2220,11873839060605383122,699418900267387673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:14⤵
- Uses browser remote debugging
PID:5524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\xlfcj" & exit3⤵
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2380
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
PID:4636
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1792
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\MicrosoftEdge_X64_133.0.3065.69.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable1⤵PID:1048
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\EDGEMITMP_DABAE.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\EDGEMITMP_DABAE.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:4944 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\EDGEMITMP_DABAE.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\EDGEMITMP_DABAE.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\EDGEMITMP_DABAE.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff601826a68,0x7ff601826a74,0x7ff601826a803⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3284
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\EDGEMITMP_DABAE.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\EDGEMITMP_DABAE.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1560 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\EDGEMITMP_DABAE.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\EDGEMITMP_DABAE.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01501F3-1785-4561-9A67-C6D1D5EFEAF9}\EDGEMITMP_DABAE.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff601826a68,0x7ff601826a74,0x7ff601826a804⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3224
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4996 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6829e6a68,0x7ff6829e6a74,0x7ff6829e6a804⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2548
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1820 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6829e6a68,0x7ff6829e6a74,0x7ff6829e6a804⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3612
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:704 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6829e6a68,0x7ff6829e6a74,0x7ff6829e6a804⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3240
-
-
-
-
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2348
-
-
-
C:\Users\Admin\Downloads\S0FTWARE.exe"C:\Users\Admin\Downloads\S0FTWARE.exe"1⤵
- Executes dropped EXE
PID:324 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:8
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\BICBU'"2⤵PID:3480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\BICBU'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"2⤵PID:5624
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"2⤵PID:4444
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1536
-
-
-
C:\BICBU\thjsefawdwa.exe"C:\BICBU\thjsefawdwa.exe"2⤵PID:4004
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5d26d5412e2228fb671609e601f95fec6
SHA117be4254473ac147f1397918d1d9e921e683dc02
SHA256e4f217ba88c958e07c5adacb25eb6e297c7bc7075be8a5e0d40812683eda03dd
SHA512680c9b58dde5689993459e2a9641e6279659e30d2ca7e64f0af10876cb89c1bd711ffe5d07655b3e43ff67038895f5e0928da80bdb2f8d293a7d830ec676e4ea
-
Filesize
28KB
MD5753175a2a378c1448b5e6946d2421599
SHA11a856255b7868a050cebc02845e4af6acb3912ef
SHA2562a216550fb6ef956beb4029c2c18049a1c66cc271470a09c3b0b6103440e7280
SHA51207e2c0c976c288d3ed0ffe370f6b5538df2c89edc52a21f6025996135d8e4143341e8a0322f7acbb83b9a6c7bae7c88a492aa39c73c88b21bcce19404f133fb3
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
152B
MD578b6ce61b693206e26cf97ff7d664718
SHA1e910df12cd3267c1f7b85de29acf8db6a789e847
SHA256fdb53a106aabf9b5d083f81e9063c5c773596c02eb5beacfc9cf3dd9d36c8d96
SHA51207118c04e895fa25dad63cd11100f50c17b469b7acb404cda7093e6c7131983381c7248fdbb55f565ca23ca5418132891363b579a1330ee2b4a02a4c4985d85b
-
Filesize
152B
MD59c8a6c03200542a48e0d43ece62d9ff4
SHA13f76c4ff77232a01a0b0fa63293f49b7f6004e5c
SHA256ed5a982a5bf576db524a12ece7eba5db8545022c49b8beeabdb422b2e1c95f2b
SHA5127e4f9ee303a008d8b66312e9f2b0fd92b5d82b979040b0790c378387f23356be48616e283901a9c48fb6c887a182b5df881491cfd538ff86d79b94fd9f07ee9f
-
Filesize
152B
MD51100cd71029f79201c6919cc5da634d3
SHA1fe57df072bdc7274e667190778a964f37f15924e
SHA256fb41d041617b25e6ab8c34afaf97ebf187584e634256935ec92b1157416fdb8b
SHA51264779682870fff3f431c3862bdaab23fcad3e545a60fa8762f77a58df1e98c19d5330d16f72ac94952222bb2781f68ec569d6b8e3ffb1e59471de4ed42883172
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\496a365f-218b-4638-9594-5a882cae6df3.tmp
Filesize5KB
MD5b890540fc8607a97473c55b1872783b0
SHA174151410064f051617a667850c67a6fa74e5281c
SHA2565660dd902520ff54129e0245a18b8104fc7c3509843b8e251593ed6a7bdc3be6
SHA512b02b19afccd96f3a45bfa4e39adc26cec9b7ef2b2fd49138c47d692c4b9be3f9ad1d2049f743caa66aba437e4df1b29e5540def8a039f42ec7efec2ccf78e714
-
Filesize
215KB
MD50e9976cf5978c4cad671b37d68b935ef
SHA19f38e9786fbab41e6f34c2dcc041462eb11eccbc
SHA2565e8e21f87c0a104d48abc589812e6f4e48655cabe4356cda9e3c1ceee0acaa4e
SHA5122faa6fff6b47e20fd307a206827dc7ff4892fce8b55b59b53d3e45b7dcf5fd34cebc4776b63da5aa4d0e0408344bd4602d26d09e7a456dd286e93b768cbfaa51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD53247f5e7c5f0897f95e93e0e38726e87
SHA15c7981ce6e02240dacc0059964e6f0c752c65454
SHA256be63abec2eed7c3dc9494bb733ea2367ded8b81dbca403512b59fe64483cdce4
SHA512ca88225c42a6bf1beef7c77e6a41d41d2f98bfcedf485a80039c656f38233f68876d23b8a5e28623bdf02ccc60d46c4c44570efc7c845e951b323681d7a19f04
-
Filesize
32KB
MD57cb10689190cc2ba15c87fc2a02b1382
SHA19baf89eda1438a02e8255ab19d4be7dd8324a8f6
SHA256b282a42cee36eaa70273a7a8de528b6a20a045bdf0b14abc59a399ad7b045ee3
SHA51223ba71da45ee86720598b3688534440fc78e2cb7d8e7c85d37e906fc91fd7387e2ed72a1612438a0ef1faea2bcb1dabfff38a108cf23c42b5d6099ed086df28b
-
Filesize
128KB
MD5fa40b04dcd689e039dc8317923541f7c
SHA164a83d43213240087aba1742f65af91750700551
SHA2569699ef8b9d5138c0a19f8dc0d895e1f966216019d840059e7649901f712d6e74
SHA512959b246278cc13d5a71e2662467aa6b8da5490bbc4a71ed58a84ab57f6f04cf8526d02999122383b4afc0bfaa36d42ba70a6bad186c789cd563bc70c5d75d425
-
Filesize
8KB
MD54d7e1055dbe48fc3dd23b4b014dd04c3
SHA111df8f1ae8578dfaea8444ee48203788ab44180e
SHA256f4bc019b510ce1245b7f5e9f29a80e75d46f0e1f03d5c457feebd10c71b46a30
SHA512307a05c537b348cc9fd4279bd5b15393f1a3ddfb2861d69eb98de351e6cb5b13b8811a3811eb286b8b79ec7b67f64fe5f747146079c066746df58a95a94be631
-
Filesize
1KB
MD54e8137788d8550f3fc03088c9e7fe620
SHA13c5ff95fe429896557f1680b05bffc7e3d6fe785
SHA256efc1a0f0579c898c543b96eeb6a38374f6ec8016f6dd4a986385dca6b23823dd
SHA5125a05c070b4f90197366e258e5da27dd12600b53663a843d61fca49ea6db60729a2abb306d68e1c5752323b7b8cb5f065b77cd3029b8debc67f95e779bf3bc0cf
-
Filesize
331B
MD54ab8c74c4f642affcdda265bee2a53a2
SHA15705b6360639b6200743dfb3eb5c43ace74814b4
SHA256e12e352718bfd266b7d5bffe98ccd0fb84cc24d6efaaa3f23bf2c7abcc1d6095
SHA512a8ab9dee53d468f17d1d3a8c98c89b1d727a2d3453257329f1b31d9bf734d29ebe9e0b2f639e025bc69c7c2b51fd2babc9cbba645c1e4246de655be6bfedb006
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD592fe86ac27a9fd5e536ddee6d85d70b7
SHA1059d0ff38e1cd713de5063d1f7c1320ff4198a90
SHA256600b44d589c0f1dd583c2e51817eeea13bbf693b651a3888d497846e9569f7b4
SHA5128e122e5bd8999b7d81984d49b68506c9d803315c1b6f130c147bb32399926faa8cc885fe83353cf80beb863f44177da313fb87a3dab8064f20eb3b2f75fb010c
-
Filesize
7KB
MD5071e31ef0af2ec64acfdadd156200149
SHA14ee295b71afe73aaa83efd72bd87cedcd7d531b3
SHA256e41306444d017f19d8fa9863ea7b8ff49844a00544cfc1f139e94e5c700f8f2f
SHA5123335c0ba93e3bfd0ccc3ac2c0f21bc33404259ac6fbb27b637af492bf84c536417678dda8f60af638142fdba3cc26f285049963e822a87659e63e7456bd33fe7
-
Filesize
8KB
MD5157db1775f98a8277bf2433df63bc825
SHA153e8836e836ae4a88b54da6490ff3f7263176912
SHA2565a4216833efe5d043d81a31939eec518b7e0cb5798ff456edcc860d5757c2347
SHA51261228c8641cb777e86d0ffce9f419f707f5c64f5b2f4c3a10d9b32cc656dcdcc8dde8ef54812a11c46c04401f5f7567960d0db2cc322fcab022792bec287c094
-
Filesize
8KB
MD58c90c54d2b93d7a9dacec689eafb7431
SHA1d222b47f52e987757a22e819ce0bd75e060fc31d
SHA25669ee391a1de79c6d65ea627f0b5f2f2361a0c8ba8a8e432c146e8e3de2637d13
SHA512cdff1ee4570e36f4a56302a8ce498db48cf1ad9601c8caa9cd4baf97525f4bf1da4eb2f5b918e21de717103cfdf37bb455d391856d56f19a0788978f5430e48b
-
Filesize
8KB
MD59bbe4164ec66d694735f5590cf2ffe84
SHA15eea718d0a72d6b3a5b285ae9566681d3f086c01
SHA256b439ac086eba9e1f9170fc9bbd4a30fe2cb633faa91892726be04e306f38c3dd
SHA51285854f34395e831727db2942ebc16e1d2401197fa36a2f6ec191f0e2cccf7c297d1e44c2ac97a7a2271391d1aaff5d06a6716e28ee7c1822ea47d05d05cee4d4
-
Filesize
24KB
MD57db9693cf6aeaffe8a1e29add7b3bb52
SHA1e015dfa440ce09ffd2b85cf39877776a11c44bde
SHA25640799443919dfa525146cd899d722b3850c976d8014ef3dc1ebf886fa1f8ecd6
SHA512b0236a3a96d323e284a95804676c7194ee4c8e2bb1567d33204c1bc9761ee60f5fa1c04a6f6e1a1765cfda38e80e878894e4d1e37f32d5cdbd86b425a1f8a282
-
Filesize
131KB
MD5e2cab48af419b8d3ba49b7625fb86d4c
SHA1557a605b15af1d64ee477c2d5e4cc3a8d213ec38
SHA256c91e2a5d8ab93fe49653eeb7dbac1bd9d24eaccc1cac97e01f1f37fcab8b5707
SHA512dd8e20c04b090e041086e765c57d21d2c9c648a450299be6f7af11d0ada695d94af8252da1e83584ab4aced73bcd088b0b1609a624c7790021df7985784459a6
-
Filesize
1024B
MD5724c45e411c38e17004e9df026540d8e
SHA177fc29392f0076b5e660481d2f0d6a718fcdc0a7
SHA256b2c7a107561ddc90be6f55d09af0316431058ae4a525241a2261f557e47d2bf4
SHA5126bc557104551d546549b39966fd8c02a5924a6b57f72bdb3b83a7ff0a651266c72562f1881a850b0dccb0401c61dc44cd08b8f61322478c8a438904710c42c3c
-
Filesize
347B
MD5dee600d41384a3cf2ca8111f6756eea7
SHA159d255c455ae9dfd35cafeb2358ef60b421583f4
SHA25674383606cf859926c1ae3aa65c80035135607a0607aca7fb9b5ad17d2fb408c2
SHA512d0d2d9dd6e872f393ddb7187d82e9b4ee7ed33f1719b56ab704db333b5f1a20356826cfebcb1cb973dc09a12b93f4b2e0a9f492a8ba443ec74667c03ad37c92b
-
Filesize
323B
MD589df482782120edd19626b01f577f4b3
SHA1e8b014477e1732da9c2c03c3f1e606accb936a22
SHA25612cc5dc0cb34cc8879849c7f1cd8689b51432aef9ebe730628e23ea8d1b682a2
SHA5126d04cf88f0bd54740156f7f13f4cf20f0d4258e84568aa95d01ddd4e4a57d872d7cd0fda73317b1ddcbc9f10428603795047b6cf40f125d35f8197282b21771e
-
Filesize
1KB
MD58e3fb0dfb92c7edf5016ac0737d87ac2
SHA1b05d13919b74d02acfa2ffe9e7f5cc7b73c50afe
SHA256ec41fd3c9612b21b0b4b9c3e9f74870db1c244a90b80bfbb9566dd528ba279cb
SHA51239bae77de9fa59e49522c8edf85e0c62d54b36ab222bfb3adeece69456ce3e2a1bfa8660182b253a880f5dad35ab317bd7a92d30cadcc842e86f608643d24973
-
Filesize
702B
MD59876513744931bbb0a6b0b07edcf3b62
SHA1094e758cc853bf8e71d9bff1d0701eb9bf6c43ad
SHA256ba381afbd18a817ab8e9bd388c0d6f0235966e6d0fefaba9a2f71888bdfc983c
SHA51254c963e4bce15a166d996ce9cd7fce359f25b70ea7918f4d87c5f8ff6d789733351665fc0aac0c3c0d0253e73fe4c545eeaefab52097995b93605676edf53c21
-
Filesize
128KB
MD56ef931f649d2b97d2e63a7894d899104
SHA10fac719058cd929b5795588834637f2223834ab1
SHA256ec7fd2552956efef0067988d42b9fdeb1bf35826444e8ad74ac9d17f5ee547cc
SHA5123aacc652935c99ccd12b67e5acc3ea4f0ad8cd9be48e1381886e44f6e603b05ad1f91992941cd2caaae3d29fcc5eff33d2d17fe07ce058d4a11bbff7b793e30d
-
Filesize
112KB
MD5e03fc0ff83fdfa203efc0eb3d2b8ed35
SHA1c705b1aa42d84b3414fdc5058e0fa0a3dc9e1664
SHA25608d550d1866b479c6c41ebbda7b453dba198ee8744a52c530ff34458024ee1fe
SHA512c0840930d7a9cf16e8fbefefd09c564eabfcfb6e9df1f9b906b830e8218a818c3f9721f9ce1fc2a96b2e6ce725baba0dcd5810a9b55d20b3c9d6f4569b9008a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bfd52371-85f4-4bf4-8525-e63375ef8bf9.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
3.3MB
MD5f2d6d93f347f37732f1eb2396e21bb49
SHA10333f0db61750529da8c358fa47568dd185e1d04
SHA2564d03c750036cd9975f671ed1f950cbcdcd3274d6e94173cbc97bd85ba395788b
SHA51233e2a20cb47393d8eeaa865ec82741771c8cb760256ef6a6e30340ccce1086c6001edb46bd91a2ae68a4b1ab796b657e4da6b42144da8561dd3bd41c5d50b35d
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
10KB
MD5a59f47d7de3ff877f68402fc01a6d0ea
SHA1afcc701f024336ea8f0e403bb2db78cbba290af5
SHA25656ddaf040f8b0bd6abdacc1b0583be8c4730d5b0867d12eb0eb35767aec5ae93
SHA5122c6236fd9fc4da32953152f4150bd2719a74dbdb9de1c3465c58d283f304fe7ecf264b119512bd931476451c675b911dcea425e4f0d700a1e918da2cbdd4a107
-
Filesize
10KB
MD595874092f7d36dbf70fdb1951deb6a7b
SHA1237fd933fe968e2780c1a0ca7b2f9987bf5c68e6
SHA2565f58839253a9c121c5c84fe73bae3745194fedb78966d4fd300743f990a5c290
SHA5128addf936cfbf7fcecabf313406b1070718cf67413a0f675db084e8d004bcd20475d4a98849b2da0cd5baaf2a6e46bbaeee4136afd8ed7030caa99a27b9b64b84
-
Filesize
11KB
MD5268abdeeff62eead212109bd86486fd5
SHA119dc39ba595e91432112c90f1b9297fa2bc933d5
SHA256b09deab370ec9e69e17931270de667d61e4e4a2d1ceb5f2a84fd7e8ed327b962
SHA512a221e6a9ef64305325148f5a4b424a176e343aa886e9d98f8db0440115b8caa6ef270e62cd585d50535738be1be0888cf6c045182c8104e32b9bdb7d93c9e4ac
-
Filesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
Filesize
40B
MD56a3a60a3f78299444aacaa89710a64b6
SHA12a052bf5cf54f980475085eef459d94c3ce5ef55
SHA25661597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f
SHA512c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468
Filesize57B
MD53a05eaea94307f8c57bac69c3df64e59
SHA19b852b902b72b9d5f7b9158e306e1a2c5f6112c8
SHA256a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e
SHA5126080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0
-
Filesize
29B
MD552e2839549e67ce774547c9f07740500
SHA1b172e16d7756483df0ca0a8d4f7640dd5d557201
SHA256f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32
SHA512d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982
Filesize450KB
MD5e9c502db957cdb977e7f5745b34c32e6
SHA1dbd72b0d3f46fa35a9fe2527c25271aec08e3933
SHA2565a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4
SHA512b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca
-
Filesize
1KB
MD5d6d1b8bb34838ccf42d5f69e919b1612
SHA120e9df1f5dd5908ce1b537d158961e0b1674949e
SHA2568a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491
SHA512ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d
-
Filesize
1KB
MD5aafbdb3c07cdd80320ab27b863b5437d
SHA16fd1dd650e6d5248d17a8400445b56dc2d59315b
SHA25622bc5b85f76bdfbe30f699c832183f2be1985e7106b8af86f66e1a360b7a1c17
SHA512268496f2db5b511301bb4f1088229ae94b54c905984d46c8032330020c120efe8ead7c7df214214ad34b59f039c79cec7bbaa0d6af4013d0bd99cd0f809a1f53
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
23KB
MD55e54cb9759d1a9416f51ac1e759bbccf
SHA11a033a7aae7c294967b1baba0b1e6673d4eeefc6
SHA256f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948
SHA51232dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664
-
Filesize
277KB
MD5ba8347fa8e2630493e2c68fa47222fed
SHA121e4ce47095457d8315d7d6e6398b3d71e71067d
SHA256560a5e9dd5cf25444e3ec0c7402f060a071e1f66122768b91ae8f0d1b6c8055e
SHA51255117cabec1a59b85998edaaec4bd5d48f31e5d8b0f1bfd6d81743b8cedfdf2853a8d588c587083982de6a4b210da9f8a628f02163b938a5f7efe0c36baee3d4
-
Filesize
17.2MB
MD5f6c3fb3c1e5dc3c2c3c33d6450453941
SHA1ee8d3347a64c06790b7c1947823ce36cf6dd14f3
SHA256c6a1299c0366b00caec7e84420820d02c6d07fddc41e61f7a90c08159315cdb2
SHA512fa53266821916f64fb1c45e4ef3ed98dddacd4f58a0493778bca4be27f00c8e13b9e94a4fe38ec363959032ace4364a0e04f1c48487db4b543fa72bbe4a45fc5