vidar | hxxps://www[.]youtube[.]com/redirect?event=comments&redir_token=QUFFLUhqa2VVRHhrcVFGWW1zRVJYMTdtVld0Y0s1SWVRQXxBQ3Jtc0tsUUJKVFZlVXZRZGZEdDFISDc1ZkluY0s0a3BWYzdHa1hMYnk1eWt0Zm8tdklLV25DcUpVbTZEQXplZTljNHlWdHd1QlNpdDlPeFdPY19zUTdVT1JQaEhBa2Z2Rmlac1M2cVVNaVZUa3FPSC1jQVp2NA&q=https%3A%2F%2Ftinyurl[.]com%2FPureSoftware

pid	Process
5288	chrome.exe
4112	chrome.exe
1684	chrome.exe
6020	msedge.exe
852	msedge.exe
4352	msedge.exe
1076	msedge.exe
4488	msedge.exe
5812	chrome.exe
3192	chrome.exe
3440	msedge.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 3212	2972	Pure.exe	119

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\mr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\sw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\ne\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\zu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\en_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\fr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\sv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\offscreendocument.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\af\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\ro\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\en_US\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\is\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\bg\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\de\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\kk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\gl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\si\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\ur\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\offscreendocument_main.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\es_419\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\km\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\nl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\ru\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\es\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\id\messages.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\uk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\da\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\it\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\vi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\gu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\az\messages.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\hr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\lv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\sr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\ar\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\fa\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\hy\messages.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\no\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\my\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\el\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\lo\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\sk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\pl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\tr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\cy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\hi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\en_GB\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\iw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\msedge_url_fetcher_5876_689536977\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\fi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\ka\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\lt\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\mn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\en\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5876_1543816635\_locales\ms\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pure.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Pure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Pure.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876283246840273"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{9289372A-9F30-43DC-9F5A-564F8857F765}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{01248A05-438C-45D7-AC71-3BBE0C2B0280}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\PureMaster.zip:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2020	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3784	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
3212	Pure.exe
3212	Pure.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
3212	Pure.exe
3212	Pure.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
5812	chrome.exe
5812	chrome.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
3212	Pure.exe
3212	Pure.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2464	taskmgr.exe
3784	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5812	chrome.exe
5812	chrome.exe
5812	chrome.exe
5812	chrome.exe
4352	msedge.exe
4352	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	taskmgr.exe
Token: SeSystemProfilePrivilege	2464	taskmgr.exe
Token: SeCreateGlobalPrivilege	2464	taskmgr.exe
Token: SeShutdownPrivilege	5812	chrome.exe
Token: SeCreatePagefilePrivilege	5812	chrome.exe
Token: SeShutdownPrivilege	5812	chrome.exe
Token: SeCreatePagefilePrivilege	5812	chrome.exe
Token: SeShutdownPrivilege	5812	chrome.exe
Token: SeCreatePagefilePrivilege	5812	chrome.exe
Token: SeShutdownPrivilege	5812	chrome.exe
Token: SeCreatePagefilePrivilege	5812	chrome.exe
Token: SeShutdownPrivilege	5812	chrome.exe
Token: SeCreatePagefilePrivilege	5812	chrome.exe
Token: SeShutdownPrivilege	5812	chrome.exe
Token: SeCreatePagefilePrivilege	5812	chrome.exe
Token: SeShutdownPrivilege	5812	chrome.exe
Token: SeCreatePagefilePrivilege	5812	chrome.exe
Token: 33	2464	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2464	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3784	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5876 wrote to memory of 4160	5876	msedge.exe	78
PID 5876 wrote to memory of 4160	5876	msedge.exe	78
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4668	5876	msedge.exe	81
PID 5876 wrote to memory of 4668	5876	msedge.exe	81
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 4468	5876	msedge.exe	79
PID 5876 wrote to memory of 5624	5876	msedge.exe	82
PID 5876 wrote to memory of 5624	5876	msedge.exe	82
PID 5876 wrote to memory of 5624	5876	msedge.exe	82
PID 5876 wrote to memory of 5624	5876	msedge.exe	82
PID 5876 wrote to memory of 5624	5876	msedge.exe	82
PID 5876 wrote to memory of 5624	5876	msedge.exe	82
PID 5876 wrote to memory of 5624	5876	msedge.exe	82
PID 5876 wrote to memory of 5624	5876	msedge.exe	82
PID 5876 wrote to memory of 5624	5876	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqa2VVRHhrcVFGWW1zRVJYMTdtVld0Y0s1SWVRQXxBQ3Jtc0tsUUJKVFZlVXZRZGZEdDFISDc1ZkluY0s0a3BWYzdHa1hMYnk1eWt0Zm8tdklLV25DcUpVbTZEQXplZTljNHlWdHd1QlNpdDlPeFdPY19zUTdVT1JQaEhBa2Z2Rmlac1M2cVVNaVZUa3FPSC1jQVp2NA&q=https%3A%2F%2Ftinyurl.com%2FPureSoftware
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x284,0x7ffdb138f208,0x7ffdb138f214,0x7ffdb138f220
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2276,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=2272 /prefetch:2
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1812,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=2924 /prefetch:11
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2280,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:13
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3316,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3332,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4808,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:14
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5032,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=4796 /prefetch:14
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5040,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:14
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5548,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:14
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:14
  2⤵
  PID:2464
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1140
    3⤵
    PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5868,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:14
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5868,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:14
  2⤵
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6180,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:14
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6384,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:14
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6352,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=3384,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6420,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=6468 /prefetch:14
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6916,i,6655682745712505405,6827372067879872234,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:14
  2⤵
  - NTFS ADS
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:2784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ffdb138f208,0x7ffdb138f214,0x7ffdb138f220
    3⤵
    PID:5496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1756,i,3612748808060371096,375646347990265473,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:11
    3⤵
    PID:1448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2152,i,3612748808060371096,375646347990265473,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:6112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2336,i,3612748808060371096,375646347990265473,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:13
    3⤵
    PID:5388
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4248,i,3612748808060371096,375646347990265473,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:14
    3⤵
    PID:5732
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4248,i,3612748808060371096,375646347990265473,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:14
    3⤵
    PID:1708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4384,i,3612748808060371096,375646347990265473,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:14
    3⤵
    PID:5540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4340,i,3612748808060371096,375646347990265473,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:14
    3⤵
    PID:5196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4440,i,3612748808060371096,375646347990265473,262144 --variations-seed-version --mojo-platform-channel-handle=4540 /prefetch:14
    3⤵
    PID:2020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4444,i,3612748808060371096,375646347990265473,262144 --variations-seed-version --mojo-platform-channel-handle=4708 /prefetch:14
    3⤵
    PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:1320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5892

C:\Users\Admin\Desktop\PureCheat\Pure.exe
"C:\Users\Admin\Desktop\PureCheat\Pure.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2972
- C:\Users\Admin\Desktop\PureCheat\Pure.exe
  none
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    PID:5812
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd9d5edcf8,0x7ffd9d5edd04,0x7ffd9d5edd10
      4⤵
      PID:6088
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1948,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2124 /prefetch:11
      4⤵
      PID:5760
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2096,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2088 /prefetch:2
      4⤵
      PID:1236
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2404,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2592 /prefetch:13
      4⤵
      PID:4104
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3164 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4112
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5288
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4280,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4312 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:3192
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4608,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4744 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1684
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=5352,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5268 /prefetch:14
      4⤵
      PID:1204
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=5380,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5460 /prefetch:14
      4⤵
      PID:1472
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=5544,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5444 /prefetch:14
      4⤵
      PID:5336
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=5432,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5448 /prefetch:14
      4⤵
      PID:4976
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=5500,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5436 /prefetch:14
      4⤵
      PID:5352
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=5716,i,13488892984764181998,14317163384266520386,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5384 /prefetch:14
      4⤵
      PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:6020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
      4⤵
      Uses browser remote debugging
      PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:4352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x250,0x7ffd9a79f208,0x7ffd9a79f214,0x7ffd9a79f220
        5⤵
        
        PID:2856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2116,i,4389169155124552635,4385418147285016716,262144 --variations-seed-version --mojo-platform-channel-handle=2112 /prefetch:2
        5⤵
        
        PID:2776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1860,i,4389169155124552635,4385418147285016716,262144 --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:11
        5⤵
        
        PID:132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1884,i,4389169155124552635,4385418147285016716,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:13
        5⤵
        
        PID:1472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3492,i,4389169155124552635,4385418147285016716,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3500,i,4389169155124552635,4385418147285016716,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5148,i,4389169155124552635,4385418147285016716,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:14
        5⤵
        
        PID:1544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5136,i,4389169155124552635,4385418147285016716,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:14
        5⤵
        
        PID:3496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5324,i,4389169155124552635,4385418147285016716,262144 --variations-seed-version --mojo-platform-channel-handle=5356 /prefetch:14
        5⤵
        
        PID:3680

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2464

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5384

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DismountGet.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2020

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnblockRevoke.TS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\GroupRestore.htm
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

Privilege Escalation

Defense Evasion

Modify Authentication Process

Credential Access

Modify Authentication Process

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery