mercurialgrabber | e5d33a634d0afcca971c73278c7ebe95d7e34343487c52a7beb3480965ef5a3f

Analysis

max time kernel
110s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2025, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercurial-installer.exe
Size

6.3MB
MD5

8a93ceab7692801e240fa4d15b7d2d21
SHA1

42f5f0da90294133543b85a966905f26e59fc2fe
SHA256

e5d33a634d0afcca971c73278c7ebe95d7e34343487c52a7beb3480965ef5a3f
SHA512

e35f4854148bec95dd787cf618e0c045d70b74141567f44b34cb26940ff3b08e30a92cf16d51ce78d7f917e0a4b5208e80d1fdb69127148e149c90c10c9c9cfd
SSDEEP

196608:4iFAl6mMDfxMvSRNPZptyvMABDTtGV/1QHp44ecv9OHMC994T:4iFAl8jxMKRRiMABPtGV/1SzksCv

Score

10^/10

mercurialgrabber agilenet defense_evasion discovery execution persistence stealer

Malware Config

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Mercurialgrabber family
mercurialgrabber

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2772	powershell.exe
1784	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
3752	Winhlp64.exe
1660	Mercurial.exe
2372	Winhlp32.exe

Obfuscated with Agile.Net obfuscator 11 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1660-49-0x0000000005050000-0x0000000005070000-memory.dmp	agile_net
behavioral1/memory/1660-53-0x0000000005130000-0x000000000514E000-memory.dmp	agile_net
behavioral1/memory/1660-56-0x00000000051D0000-0x00000000051DE000-memory.dmp	agile_net
behavioral1/memory/1660-57-0x0000000005A40000-0x0000000005B8A000-memory.dmp	agile_net
behavioral1/memory/1660-55-0x00000000051B0000-0x00000000051BE000-memory.dmp	agile_net
behavioral1/memory/1660-54-0x0000000005170000-0x00000000051A6000-memory.dmp	agile_net
behavioral1/memory/1660-52-0x00000000050B0000-0x000000000511E000-memory.dmp	agile_net
behavioral1/memory/1660-51-0x00000000050A0000-0x00000000050B4000-memory.dmp	agile_net
behavioral1/memory/1660-50-0x0000000005090000-0x00000000050A0000-memory.dmp	agile_net
behavioral1/memory/1660-48-0x0000000005030000-0x0000000005050000-memory.dmp	agile_net
behavioral1/memory/1660-47-0x0000000004E00000-0x0000000004E1C000-memory.dmp	agile_net

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
332	powercfg.exe
1208	powercfg.exe
1228	powercfg.exe
3092	powercfg.exe
1532	powercfg.exe
3924	powercfg.exe
2616	powercfg.exe
1552	powercfg.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Winhlp32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	Winhlp64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3752 set thread context of 2360	3752	Winhlp64.exe	89
PID 2372 set thread context of 2336	2372	Winhlp32.exe	111
PID 2372 set thread context of 2140	2372	Winhlp32.exe	114
PID 2372 set thread context of 3388	2372	Winhlp32.exe	118

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3804	sc.exe
1180	sc.exe
1220	sc.exe
4668	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mercurial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dialer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={E6FC061B-4CED-462B-BA08-E63F704CFF2D}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1740012780"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 20 Feb 2025 00:53:01 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txyew = "1"	ApplicationFrameHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = ":BackgroundTransferApiGroup:"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\650fff9d-a18e-4b31-b47e-e1d11d537	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mic	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = ":BackgroundTransferApi:"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = "1"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = "1"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\650fff9d-a18e-4b31-b47e-e1d11d537 = 854818d13183db01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\650fff9d-a18e-4b31-b47e-e1d11d537 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009db2f2d03183db019db2f2d03183db019db2f2d03183db01000000000000000001000000000000000000000000000000280514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800bc003100000000000000000010004d6963726f736f667457696e646f77732e436c69656e742e4342535f6377356e31683274787965777900840009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f0066007400570069006e0064006f00770073002e0043006c00690065006e0074002e004300420053005f006300770035006e003100680032007400780079006500770079000000380060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a006e00310000000000000000001000436f6e73747261696e74496e64657800500009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000043006f006e00730074007200610069006e00740049006e0064006500780000001e00c600310000000000000000001000496e7075745f7b39646239306432352d636437392d343731662d626434322d3062373532626133346365627d00008a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000049006e007000750074005f007b00390064006200390030006400320035002d0063006400370039002d0034003700310066002d0062006400340032002d003000620037003500320062006100330034006300650062007d0000003c000901320000000000545aa6062000436f6e73747261696e74496e6465782e63616200580009000400efbe545aa606545aa6062e000000000000000000000000000000000000000000000000006399030043006f006e00730074007200610069006e00740049006e006400650078002e00630061006200000022008f0000002700efbe8100000031535053b79daeff8d1cff43818c84403aa3732d6500000064000000001f0000002a0000004d006900630072006f0073006f0066007400570069006e0064006f00770073002e0043006c00690065006e0074002e004300420053005f006300770035006e003100680032007400780079006500770079000000000000000000000022000000e10000001c000000010000001c0000003400000000000000e00000001800000003000000b23b04fe1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f667457696e646f77732e436c69656e742e4342535f6377356e3168327478796577795c4c6f63616c53746174655c436f6e73747261696e74496e6465785c496e7075745f7b39646239306432352d636437392d343731662d626434322d3062373532626133346365627d5c436f6e73747261696e74496e6465782e636162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006a6d73676c716b6f00000000000000007263cb787fe3fb48931d76187384967254976a6077edef118395cea7bfe93e587263cb787fe3fb48931d76187384967254976a6077edef118395cea7bfe93e58ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003700380036003700330030003400350031002d003600300030003100330032003500300039002d003400360035003500330037003200350039002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d5677f18000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mic = f401000040010000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = "9"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = "0"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\650fff9d-a18e-4b31-b47e-e1d11d537 = "\\\\?\\Volume{187F67D5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{9db90d25-cd79-471f-bd42-0b752ba34ceb}\\ConstraintIndex.cab"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txyew = "4294967295"	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoftwindows.client.cbs_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = "INetHistory\\BackgroundTransferApi"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = "INetHistory\\BackgroundTransferApiGroup"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\650fff9d-a18e-4b31-b47e-e1d11d537 = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txyew = "4278190080"	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoftwindows.client.cbs_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txyew	ApplicationFrameHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mic = 2c0000000000000001000000ffffffffffffffffffffffffffffffff28000000000000005803000081020000	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup\ = "9"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\650fff9d-a18e-4b31-b47e-e1d11d537 = "MicrosoftWindows.Client.CBS_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\Disallowed = cf90efc43183db01	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cache = "0"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\650fff9d-a18e-4b31-b47e-e1d11d537	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\650fff9d-a18e-4b31-b47e-e1d11d537 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3768	powershell.exe
3768	powershell.exe
1660	Mercurial.exe
1660	Mercurial.exe
1660	Mercurial.exe
1660	Mercurial.exe
1660	Mercurial.exe
1660	Mercurial.exe
1660	Mercurial.exe
1660	Mercurial.exe
3752	Winhlp64.exe
2772	powershell.exe
2772	powershell.exe
3752	Winhlp64.exe
3752	Winhlp64.exe
3752	Winhlp64.exe
3752	Winhlp64.exe
3752	Winhlp64.exe
3752	Winhlp64.exe
3752	Winhlp64.exe
2360	dialer.exe
2360	dialer.exe
3752	Winhlp64.exe
3752	Winhlp64.exe
3752	Winhlp64.exe
2372	Winhlp32.exe
1784	powershell.exe
1784	powershell.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
1784	powershell.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
1784	powershell.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
1784	powershell.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
2360	dialer.exe
1784	powershell.exe
2360	dialer.exe
2360	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3336	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3360	msedge.exe
3360	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	1660	Mercurial.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	3752	Winhlp64.exe
Token: SeDebugPrivilege	2360	dialer.exe
Token: SeShutdownPrivilege	1208	powercfg.exe
Token: SeCreatePagefilePrivilege	1208	powercfg.exe
Token: SeShutdownPrivilege	3092	powercfg.exe
Token: SeCreatePagefilePrivilege	3092	powercfg.exe
Token: SeShutdownPrivilege	1228	powercfg.exe
Token: SeCreatePagefilePrivilege	1228	powercfg.exe
Token: SeShutdownPrivilege	1532	powercfg.exe
Token: SeCreatePagefilePrivilege	1532	powercfg.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2372	Winhlp32.exe
Token: SeDebugPrivilege	2336	dialer.exe
Token: SeLockMemoryPrivilege	3388	dialer.exe
Token: SeShutdownPrivilege	3924	powercfg.exe
Token: SeCreatePagefilePrivilege	3924	powercfg.exe
Token: SeShutdownPrivilege	1552	powercfg.exe
Token: SeCreatePagefilePrivilege	1552	powercfg.exe
Token: SeShutdownPrivilege	2616	powercfg.exe
Token: SeCreatePagefilePrivilege	2616	powercfg.exe
Token: SeShutdownPrivilege	332	powercfg.exe
Token: SeCreatePagefilePrivilege	332	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	2640	svchost.exe
Token: SeIncreaseQuotaPrivilege	2640	svchost.exe
Token: SeSecurityPrivilege	2640	svchost.exe
Token: SeTakeOwnershipPrivilege	2640	svchost.exe
Token: SeLoadDriverPrivilege	2640	svchost.exe
Token: SeSystemtimePrivilege	2640	svchost.exe
Token: SeBackupPrivilege	2640	svchost.exe
Token: SeRestorePrivilege	2640	svchost.exe
Token: SeShutdownPrivilege	2640	svchost.exe
Token: SeSystemEnvironmentPrivilege	2640	svchost.exe
Token: SeUndockPrivilege	2640	svchost.exe
Token: SeManageVolumePrivilege	2640	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2640	svchost.exe
Token: SeIncreaseQuotaPrivilege	2640	svchost.exe
Token: SeSecurityPrivilege	2640	svchost.exe
Token: SeTakeOwnershipPrivilege	2640	svchost.exe
Token: SeLoadDriverPrivilege	2640	svchost.exe
Token: SeSystemtimePrivilege	2640	svchost.exe
Token: SeBackupPrivilege	2640	svchost.exe
Token: SeRestorePrivilege	2640	svchost.exe
Token: SeShutdownPrivilege	2640	svchost.exe
Token: SeSystemEnvironmentPrivilege	2640	svchost.exe
Token: SeUndockPrivilege	2640	svchost.exe
Token: SeManageVolumePrivilege	2640	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2640	svchost.exe
Token: SeIncreaseQuotaPrivilege	2640	svchost.exe
Token: SeSecurityPrivilege	2640	svchost.exe
Token: SeTakeOwnershipPrivilege	2640	svchost.exe
Token: SeLoadDriverPrivilege	2640	svchost.exe
Token: SeSystemtimePrivilege	2640	svchost.exe
Token: SeBackupPrivilege	2640	svchost.exe
Token: SeRestorePrivilege	2640	svchost.exe
Token: SeShutdownPrivilege	2640	svchost.exe
Token: SeSystemEnvironmentPrivilege	2640	svchost.exe
Token: SeUndockPrivilege	2640	svchost.exe
Token: SeManageVolumePrivilege	2640	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2640	svchost.exe
Token: SeIncreaseQuotaPrivilege	2640	svchost.exe
Token: SeSecurityPrivilege	2640	svchost.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
4696	SystemSettings.exe
4696	SystemSettings.exe
4696	SystemSettings.exe
4696	SystemSettings.exe
4696	SystemSettings.exe
4696	SystemSettings.exe
4696	SystemSettings.exe
4696	SystemSettings.exe
4696	SystemSettings.exe
4696	SystemSettings.exe
4696	SystemSettings.exe
4696	SystemSettings.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE
3336	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4860	Conhost.exe
3336	Explorer.EXE
3336	Explorer.EXE
4696	SystemSettings.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 3768	788	Mercurial-installer.exe	77
PID 788 wrote to memory of 3768	788	Mercurial-installer.exe	77
PID 788 wrote to memory of 3752	788	Mercurial-installer.exe	79
PID 788 wrote to memory of 3752	788	Mercurial-installer.exe	79
PID 788 wrote to memory of 1660	788	Mercurial-installer.exe	80
PID 788 wrote to memory of 1660	788	Mercurial-installer.exe	80
PID 788 wrote to memory of 1660	788	Mercurial-installer.exe	80
PID 3752 wrote to memory of 2360	3752	Winhlp64.exe	89
PID 3752 wrote to memory of 2360	3752	Winhlp64.exe	89
PID 3752 wrote to memory of 2360	3752	Winhlp64.exe	89
PID 3752 wrote to memory of 2360	3752	Winhlp64.exe	89
PID 3752 wrote to memory of 2360	3752	Winhlp64.exe	89
PID 3752 wrote to memory of 2360	3752	Winhlp64.exe	89
PID 3752 wrote to memory of 2360	3752	Winhlp64.exe	89
PID 820 wrote to memory of 1636	820	cmd.exe	98
PID 820 wrote to memory of 1636	820	cmd.exe	98
PID 2360 wrote to memory of 612	2360	dialer.exe	5
PID 2360 wrote to memory of 708	2360	dialer.exe	7
PID 2360 wrote to memory of 996	2360	dialer.exe	12
PID 2360 wrote to memory of 436	2360	dialer.exe	13
PID 2360 wrote to memory of 780	2360	dialer.exe	14
PID 2360 wrote to memory of 1028	2360	dialer.exe	15
PID 2360 wrote to memory of 1036	2360	dialer.exe	16
PID 2360 wrote to memory of 1164	2360	dialer.exe	18
PID 2360 wrote to memory of 1192	2360	dialer.exe	19
PID 2360 wrote to memory of 1200	2360	dialer.exe	20
PID 2360 wrote to memory of 1276	2360	dialer.exe	21
PID 2360 wrote to memory of 1340	2360	dialer.exe	22
PID 2360 wrote to memory of 1412	2360	dialer.exe	24
PID 2360 wrote to memory of 1472	2360	dialer.exe	25
PID 2360 wrote to memory of 1520	2360	dialer.exe	26
PID 2360 wrote to memory of 1536	2360	dialer.exe	27
PID 2360 wrote to memory of 1688	2360	dialer.exe	28
PID 2360 wrote to memory of 1740	2360	dialer.exe	29
PID 2360 wrote to memory of 1768	2360	dialer.exe	30
PID 2360 wrote to memory of 1808	2360	dialer.exe	31
PID 2360 wrote to memory of 1880	2360	dialer.exe	32
PID 2360 wrote to memory of 1888	2360	dialer.exe	33
PID 2360 wrote to memory of 1904	2360	dialer.exe	34
PID 2360 wrote to memory of 2016	2360	dialer.exe	35
PID 2360 wrote to memory of 2024	2360	dialer.exe	36
PID 2360 wrote to memory of 2124	2360	dialer.exe	37
PID 2360 wrote to memory of 2240	2360	dialer.exe	39
PID 2360 wrote to memory of 2424	2360	dialer.exe	40
PID 2360 wrote to memory of 2432	2360	dialer.exe	41
PID 2360 wrote to memory of 2468	2360	dialer.exe	42
PID 2360 wrote to memory of 2556	2360	dialer.exe	43
PID 2360 wrote to memory of 2600	2360	dialer.exe	44
PID 2360 wrote to memory of 2620	2360	dialer.exe	45
PID 2360 wrote to memory of 2632	2360	dialer.exe	46
PID 2360 wrote to memory of 2640	2360	dialer.exe	47
PID 2360 wrote to memory of 2656	2360	dialer.exe	48
PID 2360 wrote to memory of 2836	2360	dialer.exe	49
PID 2360 wrote to memory of 728	2360	dialer.exe	50
PID 2360 wrote to memory of 2488	2360	dialer.exe	51
PID 2360 wrote to memory of 3336	2360	dialer.exe	52
PID 2360 wrote to memory of 3460	2360	dialer.exe	53
PID 2360 wrote to memory of 3508	2360	dialer.exe	54
PID 2360 wrote to memory of 3840	2360	dialer.exe	57
PID 2360 wrote to memory of 3892	2360	dialer.exe	58
PID 2360 wrote to memory of 3964	2360	dialer.exe	59
PID 2360 wrote to memory of 3988	2360	dialer.exe	60
PID 2360 wrote to memory of 4244	2360	dialer.exe	61
PID 2360 wrote to memory of 4300	2360	dialer.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:436

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1472
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2024

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Modifies registry class
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2600

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2656

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3336
- C:\Users\Admin\AppData\Local\Temp\Mercurial-installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Mercurial-installer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAeAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAbQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYwB2ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe
    "C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1636
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1208
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3092
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1228
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "RRRIIGYR"
      4⤵
      Launches sc.exe
      PID:3804
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "RRRIIGYR" binpath= "C:\ProgramData\windw\Winhlp32.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1180
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4668
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "RRRIIGYR"
      4⤵
      Launches sc.exe
      PID:1220
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2692
- - C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
    "C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4732
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4860
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE72.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9D719CE6B61140418D8A25383CADDB22.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0uxbnolt\0uxbnolt.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2628
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4628
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E62.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF70499671BCC4AB19DA110EB2AB736C.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k3wxqpg3\k3wxqpg3.cmdline"
      4⤵
      PID:700
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AA2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC972A9A74758D494487C758012F32DFE.TMP"
        5⤵
        
        PID:2724
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ucvtptw1\ucvtptw1.cmdline"
      4⤵
      PID:3828
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C19.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E0BA4FDBF3246959B9BD79C6BD2E72F.TMP"
        5⤵
        
        PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdaa9e3cb8,0x7ffdaa9e3cc8,0x7ffdaa9e3cd8
    3⤵
    PID:4668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1368,7454441263515089076,1706770529591454487,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
    3⤵
    PID:2588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1368,7454441263515089076,1706770529591454487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
    3⤵
    PID:4132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1368,7454441263515089076,1706770529591454487,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
    3⤵
    PID:1424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1368,7454441263515089076,1706770529591454487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1368,7454441263515089076,1706770529591454487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:3964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:5024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1548

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2572

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2500

C:\ProgramData\windw\Winhlp32.exe
C:\ProgramData\windw\Winhlp32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4216
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1400
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1448
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3324
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1728
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4024
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4748
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2140
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3388

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:1672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1404

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:3364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:420
- C:\Windows\System32\pcaui.exe
  C:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""
  2⤵
  PID:1056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3308

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4172

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Modifies registry class
PID:4216

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:1760

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
c367e45d79e2ecbb2bbe40658a56981c

SHA1
0f0b95e1b356257939c612f63f5660c744ebb131

SHA256
297fb04208874c895b176535ae1a5073dd7ba1e0d80fc3eb1d28744b84c177a7

SHA512
624047fb2510327d7e239ed865ac285d66deac4d03940d14a85069361ca86f96d3a84a69e0cbc8ee652acf33ef62cde69e92eed05041dff93c8125f35f698b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e826770e88318fe8f2db3f380cc22916

SHA1
d4ebc1b80456022971bcbe046fbc95b821592eca

SHA256
39b58b21a085a32ab8c05a900f7865051b785bc0cf2b499a1cc8e26adc34165a

SHA512
c8f2f24e216db852c957bea9d5d3961b15d7274b02e72534ae496bbae0149c682155a6a24a0b74bdbda62374050e71e897d8010aeefd4c13d1290327b30708b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aceef780c08301cd5b23ae05d0987aca

SHA1
d7dacb2528c70e3340a836da7666fcffd6f2a17b

SHA256
257d92d753dd7de9a01fb0c77c63f8c3ed01ea6d7c14d8c5e1fb2db50e0077aa

SHA512
95943d8b8db3450627559344429cb82c09fa2a61b35721f400a26378bafdb1d3243d52c7eecd3c2c355373de7f48d0bf290987e7064d80b9fa689f17475ae729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8eab518f961acd751437995e429b52db

SHA1
587ed3304ebbf0ee93ffc57589d7089bf3659593

SHA256
36d687c86831b7ead1f2bb021bc1b44788bf6dbaccce7da86e380324a27cbcab

SHA512
450267c5116a1e37c110646fcd7b146d6c52d4d906ab84dd66930882705f70f26e790f187ee5a4786245428c25ea954bdc9208c4df6f8f8bd801661521724f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f095a1dc4b6a8e1bdc86f3e6367f737c

SHA1
22639827d9b9706e9a8954389f49a876bb603e89

SHA256
d7fc72f53a53ae7d54df1641ce5ffaea0c9dc8902bf4c29c52acfcb115200663

SHA512
071c2a1f797c634c362e44c3f6e88e8b07b1963e41ca626a5228180100547e9067bcb8ce730342b1c25152d59dd23287e2055cf504da227b366f04e22cecc7a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
115e99addcbba4eddf8093ae0955f3a3

SHA1
46a96096314475dd3aef64b2498e4dd6489b64d6

SHA256
549bd15fbf645c8a17d171fa7c4fadb5310ed248607c193ba12961370e9ba069

SHA512
93e6e8124e99a231cfe29e13b05878a13c5a19fd374ca4f2cd3ee10d5251977a9b4a29593558628fb07e041c81842c33e5e4ece1cc9947e0cffa86e32d0796be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\650fff9d-a18e-4b31-b47e-e1d11d5378e8.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
290B

MD5
77182f6162ec533ba77918fb9298483b

SHA1
da99c36d5e707deb5189336e1a47787c791b9be5

SHA256
d3ad0e99262591bf64980d3b21e9aa1f089106a640c548ae76eb0a28f5a3213e

SHA512
5159bb14be506aa65923193dc3fadcc47646ade77249fd907e1be74a9ab9e8656dfb3f34043d6b0ba27ca088a68ec1eb8e068f81d59e6b87c906b1679e0ac6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe

Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E62.tmp

Filesize
1KB

MD5
1f9e392d53ad4620e674b31f404b2949

SHA1
6d8bc2e276002e43884f20751ec1dcc71a4d7e17

SHA256
b262104ae3e7338ae64e9e26983124904567598ba2fe6815d08543b0edb1b412

SHA512
5bede633c2ae068ee6193deb6fc0a16eedc0e48814a95c06ec36136403e6db4cad0208aeead8e1b6ad83069b3c60775b44d9619e6729d92b65f92f6a31bdebe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8AA2.tmp

Filesize
1KB

MD5
954e4002fd47c1dc22b3f62b25de4f47

SHA1
ecabefa5f35263f118f317c82fe995ddcf3a3cc2

SHA256
90dd1bdf34a883228df0e4f1169e513bb7b006f8c160731a7cbdbc96a7f547b2

SHA512
9ef6e187e64e8f6f42ce749cf3c6bbdd5dea84fe408d254ed09ec8b4e0ce1b2c639093ad72001cf58004249deefcc101c85c1b6f7b1c53aa84e9a9e6a5b57710

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE72.tmp

Filesize
1KB

MD5
a9fa909caa4fefd10eda4f19b6f8d380

SHA1
f1486d2746b24fb6d46857333171938cd505dc04

SHA256
a1ca742aa288c47d9cc21238ccc192854c58d8858294c995e96b0bf74afd88c8

SHA512
b9fc0c9d0d081eabf68c709368ce6f679dbf1952e086b0f0ad574b3fb13eafc19ddaa4918331e3571968b5615ec20521255245b5f2ac2b91870fa5b197fd42c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe

Filesize
2.8MB

MD5
7d745c0b978f2832393f47893db5fdc7

SHA1
a1349f9fd6643fd4e22825df032a903266244f52

SHA256
598ebf3f7679ebeaae0aad292bb2357ab9f76cff351c53cb239b34088632b055

SHA512
aa6aefc3d61543d2c76cbdfccef915b315cb78ae5f23ce59f0af6157f913c9a2a7c7feef96988d55ec6a504715127d414e9eff5827dc843fdf4151910f1e8940

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_il4hvmu1.mr1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f18460fded109990.automaticDestinations-ms

Filesize
2KB

MD5
b7c927a745169c73e6b4ac8ee5bb8cbb

SHA1
9fee25ed40cddc5922c97a47228919fee7959e1b

SHA256
e1458eb3435c906a7589e164831191d8b29867eb9aa6f9cbad2b265a6543d314

SHA512
c8655e3615097ca0a2eb0c4cf72639c9bf007c380704e5724818baa0ad5998cce21e5dd8000ce915043a8d670751f733a2f32be860189e9591bceef0ac721b99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uxbnolt\0uxbnolt.0.cs

Filesize
11KB

MD5
c616ada93a163fc5bb34d120bb41d263

SHA1
693d543d133cae1d294f69cce6e6ceec4563075f

SHA256
0fe83169e2b6dde628793386566c10d0e4fdd3018e78775d4c03dc0c10d348e2

SHA512
e5a846942d9e7b20bd938efc57975e538dd4bd11709611f891c459af8ccf8de3b70aff28223ef9f109ecb3e4b2603274097043d6f0abc31200775913f240d332

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uxbnolt\0uxbnolt.cmdline

Filesize
831B

MD5
ba7364732c8fc690df059f2538bbf9f4

SHA1
9f0ff9b7836a1a410094761b0746162d602dc445

SHA256
a8cfe9fcd413952ce9833f927fb4654ee4372fc7d06302bc566b068912dfdb77

SHA512
635036392b6daecb64d62c6c6c3d51551507b94275afdc76a178c53f07f2cdd496b5cb86feb14a3cdc858a22c0e993c611d32de15f6765210d7f6ccf71f179fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9D719CE6B61140418D8A25383CADDB22.TMP

Filesize
1KB

MD5
4a8b69d1b2c8695736b8c2273da513dc

SHA1
6519bfd357318ebc69831e8c9a12626c5a34dc2e

SHA256
d9edfacf147f183b116c4ba680fe1087d13f04fa7dc92ca7e9bc9f2fdbca24b6

SHA512
e4bf306c4ff1b6be85fa7824ba7e9c50906e965553fcbcb9debd966220b0328134d99ceedc6d563296332056c243dd310e8fe36e2fee2c3864f7aa67fde225e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k3wxqpg3\k3wxqpg3.cmdline

Filesize
831B

MD5
5af36dbf5ecb9a38b0b91c07b20c57fc

SHA1
b81c4f645b5b9d04879e1593ab0ebae4b5c09b74

SHA256
9bf61ae5fc2ec760ac361c2e5ea00fee2e6ac2921ee3ca7f345cbdc75aecc528

SHA512
5692a362cf5dc455d80721063b9d54d69a6dc71d7f81e8baa756d223226a01deb25046a6d46fb12ca7ca6b9f94831f7bde2e7c80b8c33fc16d9a41707084e866

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.0.cs

Filesize
11KB

MD5
498ccf4464c8b65ee90be22ca66d6e9e

SHA1
378469ef3a0dbf701a9d97e1ce4eb88f4648285c

SHA256
cee43078e93257dc44bf825499c9b3be862ec0566aed819a4cb2d121843bf293

SHA512
6faf2e08cbc96c27d339578f42b5da0242acf24675da4f4a1edeed7f2ea347fd9a3b3664bc3ee57edef3b343dfa22f2ac78766f9ec4ee4a583c6d249b832fae4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.1.cs

Filesize
5KB

MD5
8aab1997664a604aca551b20202bfd14

SHA1
279cf8f218069cbf4351518ad6df9a783ca34bc5

SHA256
029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f

SHA512
cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.2.cs

Filesize
7KB

MD5
6fdae9afc1f8e77e882f1ba6b5859a4e

SHA1
33eb96f75ffe9a1c4f94388e7465b997320265a5

SHA256
a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d

SHA512
97bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.3.cs

Filesize
8KB

MD5
6ba707982ee7e5f0ae55ce3fa5ccad17

SHA1
d094c98491058ed49861ce82701abe1f38385f18

SHA256
19af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797

SHA512
d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.4.cs

Filesize
2KB

MD5
fae5458a5b3cee952e25d44d6eb9db85

SHA1
060d40137e9cce9f40adbb3b3763d1f020601e42

SHA256
240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06

SHA512
25f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.5.cs

Filesize
4KB

MD5
42f157ad8e79e06a142791d6e98e0365

SHA1
a05e8946e04907af3f631a7de1537d7c1bb34443

SHA256
e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed

SHA512
e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.6.cs

Filesize
6KB

MD5
8ec0f0e49ffe092345673ab4d9f45641

SHA1
401bd9e2894e9098504f7cc8f8d52f86c3ebe495

SHA256
93b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac

SHA512
60363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.7.cs

Filesize
16KB

MD5
05206d577ce19c1ef8d9341b93cd5520

SHA1
1ee5c862592045912eb45f9d94376f47b5410d3d

SHA256
e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877

SHA512
4648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.8.cs

Filesize
561B

MD5
7ae06a071e39d392c21f8395ef5a9261

SHA1
007e618097c9a099c9f5c3129e5bbf1fc7deb930

SHA256
00e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718

SHA512
5203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.9.cs

Filesize
10KB

MD5
380d15f61b0e775054eefdce7279510d

SHA1
47285dc55dafd082edd1851eea8edc2f7a1d0157

SHA256
bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717

SHA512
d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n103nv33\n103nv33.cmdline

Filesize
831B

MD5
3f9fdf3aab58e2a8e8f036af718f3f09

SHA1
94049917fadbd377dbf5612f0f934b70d4579009

SHA256
8470d9b65e1053326a705d9a34186e464aff43c1d18716720dceb00bc9d9a9b9

SHA512
7216b43fe124e8b1fc6814d9c66c34477084dace1e5d4223f68805398918cb208b1efb4b10b7f25044f7a38cccf007addd585253dc22fa6ab8855c50adfa02f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
41KB

MD5
f40c4b99e38ad73e5448c0870687cb8b

SHA1
e7dccdc25163c85c7217a78970f507328ea65d76

SHA256
cd4037f59e2bfd4b7d202f8717940a2ec7b32ea1ca842e8bd82aca2266ec9a1f

SHA512
8d3442c97e16a1c83306a34057724f9610848dc91994f2f7d6401982b8bbf2dbff5f8451b1887f22efd629d4f336c88c78451a5cc0f32e8c9e82ac6f5c7f70f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
41KB

MD5
16ed28d259e85c30a2c5a0ad4cfb81bb

SHA1
507f596bb2a9854be199cd497bed5c0accd50c28

SHA256
5a477f376084cb05eb656a8c08f16a27d586ffa6b48579e6ff84601e7a1222ba

SHA512
4c8e03be6f7e754c37c7a0fc9812f87dc3000a76e7818a5d6e0c4cc6dd7d1baf3de72df249c1685cc81222c82cb23f65b5d4aac4aa2bf1f3385985fc63f182d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ucvtptw1\ucvtptw1.cmdline

Filesize
831B

MD5
00cf7c4cca9707652f847f37f9c84428

SHA1
fd4051b61c26bf61930ce7cd0f1e02111f16bb7e

SHA256
6ef16ecb8b8805f21cca69378cba52d3efd79ae4ee8bd7acbb70be5de6cac564

SHA512
a3618e84f9848425a7783344427e506d14250faa9ee70fbb6083cc5b13821c1d3e375e4d0c7da547fc2d7c64d838cc4511a4cceb45b0c7718beb9cace292bea1

Download Submit
memory/436-107-0x0000013C80570000-0x0000013C8059B000-memory.dmp

Filesize
172KB

Download
memory/436-108-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/612-98-0x000001F0E6400000-0x000001F0E642B000-memory.dmp

Filesize
172KB

Download
memory/612-99-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/612-100-0x000001F0E61B0000-0x000001F0E61D4000-memory.dmp

Filesize
144KB

Download
memory/708-102-0x0000023FC2FC0000-0x0000023FC2FEB000-memory.dmp

Filesize
172KB

Download
memory/708-103-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/780-115-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/780-114-0x000001C9C5D80000-0x000001C9C5DAB000-memory.dmp

Filesize
172KB

Download
memory/788-2-0x0000000001DE0000-0x0000000001DE6000-memory.dmp

Filesize
24KB

Download
memory/788-32-0x00007FFDAB210000-0x00007FFDABCD2000-memory.dmp

Filesize
10.8MB

Download
memory/788-5-0x0000000001F00000-0x0000000001F06000-memory.dmp

Filesize
24KB

Download
memory/788-4-0x000000001C560000-0x000000001CB94000-memory.dmp

Filesize
6.2MB

Download
memory/788-1-0x0000000000F80000-0x00000000015DA000-memory.dmp

Filesize
6.4MB

Download
memory/788-0-0x00007FFDAB213000-0x00007FFDAB215000-memory.dmp

Filesize
8KB

Download
memory/788-3-0x00007FFDAB210000-0x00007FFDABCD2000-memory.dmp

Filesize
10.8MB

Download
memory/996-111-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/996-110-0x0000024F98AA0000-0x0000024F98ACB000-memory.dmp

Filesize
172KB

Download
memory/1028-119-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/1028-118-0x0000022794110000-0x000002279413B000-memory.dmp

Filesize
172KB

Download
memory/1036-127-0x0000019C53B70000-0x0000019C53B9B000-memory.dmp

Filesize
172KB

Download
memory/1036-128-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/1164-131-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/1164-130-0x000001A8D4E90000-0x000001A8D4EBB000-memory.dmp

Filesize
172KB

Download
memory/1192-134-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/1192-133-0x0000022B4B130000-0x0000022B4B15B000-memory.dmp

Filesize
172KB

Download
memory/1200-136-0x000001DF6B6C0000-0x000001DF6B6EB000-memory.dmp

Filesize
172KB

Download
memory/1200-137-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/1276-139-0x00000232F1DA0000-0x00000232F1DCB000-memory.dmp

Filesize
172KB

Download
memory/1276-140-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/1340-143-0x00007FFD8C0F0000-0x00007FFD8C100000-memory.dmp

Filesize
64KB

Download
memory/1340-142-0x0000020DDD860000-0x0000020DDD88B000-memory.dmp

Filesize
172KB

Download
memory/1660-55-0x00000000051B0000-0x00000000051BE000-memory.dmp

Filesize
56KB

Download
memory/1660-54-0x0000000005170000-0x00000000051A6000-memory.dmp

Filesize
216KB

Download
memory/1660-56-0x00000000051D0000-0x00000000051DE000-memory.dmp

Filesize
56KB

Download
memory/1660-57-0x0000000005A40000-0x0000000005B8A000-memory.dmp

Filesize
1.3MB

Download
memory/1660-49-0x0000000005050000-0x0000000005070000-memory.dmp

Filesize
128KB

Download
memory/1660-62-0x0000000005A00000-0x0000000005A30000-memory.dmp

Filesize
192KB

Download
memory/1660-45-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/1660-44-0x0000000005330000-0x00000000058D6000-memory.dmp

Filesize
5.6MB

Download
memory/1660-43-0x0000000000120000-0x000000000045A000-memory.dmp

Filesize
3.2MB

Download
memory/1660-53-0x0000000005130000-0x000000000514E000-memory.dmp

Filesize
120KB

Download
memory/1660-52-0x00000000050B0000-0x000000000511E000-memory.dmp

Filesize
440KB

Download
memory/1660-51-0x00000000050A0000-0x00000000050B4000-memory.dmp

Filesize
80KB

Download
memory/1660-50-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1660-48-0x0000000005030000-0x0000000005050000-memory.dmp

Filesize
128KB

Download
memory/1660-47-0x0000000004E00000-0x0000000004E1C000-memory.dmp

Filesize
112KB

Download
memory/1660-46-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download
memory/1660-61-0x0000000005B90000-0x0000000005CA6000-memory.dmp

Filesize
1.1MB

Download
memory/1660-63-0x0000000008750000-0x0000000008758000-memory.dmp

Filesize
32KB

Download
memory/1784-358-0x0000020069520000-0x0000020069526000-memory.dmp

Filesize
24KB

Download
memory/1784-352-0x0000020069310000-0x00000200693C3000-memory.dmp

Filesize
716KB

Download
memory/1784-351-0x00000200692F0000-0x000002006930C000-memory.dmp

Filesize
112KB

Download
memory/1784-353-0x00000200694D0000-0x00000200694DA000-memory.dmp

Filesize
40KB

Download
memory/1784-354-0x0000020069500000-0x000002006951C000-memory.dmp

Filesize
112KB

Download
memory/1784-355-0x00000200694E0000-0x00000200694EA000-memory.dmp

Filesize
40KB

Download
memory/1784-356-0x0000020069540000-0x000002006955A000-memory.dmp

Filesize
104KB

Download
memory/1784-357-0x00000200694F0000-0x00000200694F8000-memory.dmp

Filesize
32KB

Download
memory/1784-359-0x0000020069530000-0x000002006953A000-memory.dmp

Filesize
40KB

Download
memory/2360-94-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2360-77-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2360-75-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2360-76-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2360-81-0x00007FFDCC060000-0x00007FFDCC269000-memory.dmp

Filesize
2.0MB

Download
memory/2360-82-0x00007FFDCA450000-0x00007FFDCA50D000-memory.dmp

Filesize
756KB

Download
memory/2360-78-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2360-80-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3768-60-0x00007FFDAB210000-0x00007FFDABCD2000-memory.dmp

Filesize
10.8MB

Download
memory/3768-39-0x0000020D72D20000-0x0000020D72D42000-memory.dmp

Filesize
136KB

Download
memory/3768-33-0x00007FFDAB210000-0x00007FFDABCD2000-memory.dmp

Filesize
10.8MB

Download
memory/3768-31-0x00007FFDAB210000-0x00007FFDABCD2000-memory.dmp

Filesize
10.8MB

Download