discordrat | hxxps://www[.]mediafire[.]com/file/vd096ertuoudvph/SETUP[.]zip/file

Analysis

max time kernel
211s
max time network
200s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/vd096ertuoudvph/SETUP.zip/file

Score

10^/10

discordrat defense_evasion discovery execution persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM1NTE3NjE3MDYxMzYzNzI3Mg.GfLOZG.Mix4fwAYEff7M5-ZFTjYnQ0AN56JgFEJUbug7M
server_id
1355176088489169088

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5612 created 628	5612	insatller.exe	5

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4624	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3680	insatller.exe
5612	insatller.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
473	discord.com
479	discord.com
483	discord.com
480	discord.com
482	raw.githubusercontent.com
141	discord.com
471	discord.com
475	discord.com
477	discord.com
469	discord.com
478	discord.com
484	discord.com
24	raw.githubusercontent.com
264	discord.com
472	discord.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5612 set thread context of 2868	5612	insatller.exe	134

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876693466568377"	msedge.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-994669834-3080981395-1291080877-1000\{34002B68-09ED-4438-8153-E567FFBFE565}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-994669834-3080981395-1291080877-1000\{8C1718E4-2964-4D68-B7A2-34AF3242111A}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SETUP.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5612	insatller.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
5612	insatller.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
5612	insatller.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
5612	insatller.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
5612	insatller.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
5612	insatller.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe
2868	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2200	setup.exe
3272	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	insatller.exe
Token: SeDebugPrivilege	5612	insatller.exe
Token: 33	3292	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3292	AUDIODG.EXE
Token: SeDebugPrivilege	5612	insatller.exe
Token: SeDebugPrivilege	2868	dllhost.exe
Token: SeShutdownPrivilege	468	dwm.exe
Token: SeCreatePagefilePrivilege	468	dwm.exe
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeAuditPrivilege	2648	svchost.exe
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeSecurityPrivilege	3272	Explorer.EXE
Token: SeTakeOwnershipPrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeAuditPrivilege	2648	svchost.exe
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE
Token: SeShutdownPrivilege	3272	Explorer.EXE
Token: SeCreatePagefilePrivilege	3272	Explorer.EXE

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3272	Explorer.EXE
3272	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3272	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1376	1072	msedge.exe	78
PID 1072 wrote to memory of 1376	1072	msedge.exe	78
PID 1072 wrote to memory of 3136	1072	msedge.exe	79
PID 1072 wrote to memory of 3136	1072	msedge.exe	79
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3332	1072	msedge.exe	80
PID 1072 wrote to memory of 3480	1072	msedge.exe	81
PID 1072 wrote to memory of 3480	1072	msedge.exe	81
PID 1072 wrote to memory of 3480	1072	msedge.exe	81
PID 1072 wrote to memory of 3480	1072	msedge.exe	81
PID 1072 wrote to memory of 3480	1072	msedge.exe	81
PID 1072 wrote to memory of 3480	1072	msedge.exe	81
PID 1072 wrote to memory of 3480	1072	msedge.exe	81
PID 1072 wrote to memory of 3480	1072	msedge.exe	81
PID 1072 wrote to memory of 3480	1072	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{886ae8ad-2b6f-4cf9-8a9b-a82859f39e09}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1416
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1932
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E4
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2076

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2512

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3024

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2860

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/vd096ertuoudvph/SETUP.zip/file
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x220,0x25c,0x7ff9dac1f208,0x7ff9dac1f214,0x7ff9dac1f220
    3⤵
    PID:1376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1884,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:11
    3⤵
    PID:3136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2068,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=2064 /prefetch:2
    3⤵
    PID:3332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2432,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:13
    3⤵
    PID:3480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
    3⤵
    PID:1048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:1508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4100,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:1
    3⤵
    PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4116,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=4284 /prefetch:9
    3⤵
    PID:976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=3400,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=4692 /prefetch:1
    3⤵
    PID:1888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4152,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:9
    3⤵
    PID:684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4748,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:14
    3⤵
    PID:4092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4264,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:14
    3⤵
    PID:904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:14
    3⤵
    PID:4528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5464,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:14
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=5644,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=5664 /prefetch:1
    3⤵
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6040,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:1
    3⤵
    PID:1620
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6404,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:14
    3⤵
    PID:4092
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6404,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:14
    3⤵
    PID:912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6592,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:14
    3⤵
    PID:3020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
      cookie_exporter.exe --cookie-json=1132
      4⤵
      PID:1036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6772,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:14
    3⤵
    PID:2364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6768,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6892 /prefetch:14
    3⤵
    PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6628,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6640 /prefetch:14
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6912,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=7012 /prefetch:14
    3⤵
    PID:396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6732,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:14
    3⤵
    PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7336,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=7192 /prefetch:14
    3⤵
    PID:1032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7484,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=7328 /prefetch:14
    3⤵
    PID:1476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7472,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=7620 /prefetch:14
    3⤵
    PID:2932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=7488,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:1
    3⤵
    PID:2688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=4712,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:1
    3⤵
    PID:1412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=4816,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:1
    3⤵
    PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=6656,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:1
    3⤵
    PID:1304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=6968,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:1
    3⤵
    PID:5096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=7656,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=7676 /prefetch:1
    3⤵
    PID:4728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8024,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=8008 /prefetch:14
    3⤵
    PID:3128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=8016,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=8076 /prefetch:1
    3⤵
    PID:1548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=8428,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=8468 /prefetch:1
    3⤵
    PID:1576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8020,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=8484 /prefetch:14
    3⤵
    - NTFS ADS
    PID:776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=8644,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=8636 /prefetch:1
    3⤵
    PID:2032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8360,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:14
    3⤵
    - Modifies registry class
    PID:5376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8596,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=6880 /prefetch:12
    3⤵
    PID:5384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=4280,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=8424 /prefetch:1
    3⤵
    PID:5804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=4684,i,2147573037383033888,4405489200729777827,262144 --variations-seed-version --mojo-platform-channel-handle=4936 /prefetch:1
    3⤵
    PID:5832
- C:\Users\Admin\AppData\Local\Temp\Temp1_SETUP.zip\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_SETUP.zip\setup.exe"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2200
- C:\Users\Admin\Desktop\insatller.exe
  "C:\Users\Admin\Desktop\insatller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- C:\Users\Admin\Desktop\insatller.exe
  "C:\Users\Admin\Desktop\insatller.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4624
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3676

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3560

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5980

C:\Windows\system32\DllHost.exe
"C:\Windows\system32\DllHost.exe" /Processid:{9F156763-7844-4DC4-B2B1-901F640F5155}
1⤵
PID:4116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\insatller.exe.log

Filesize
1KB

MD5
c4915f5546d95ffeec60455267cb8491

SHA1
5ea32fd86aaef190b4ed125d5f956b5b6c2e6e2a

SHA256
77804cbabdc25c2a9574a84e4f4c299754b181b785cd0e49f5169dbda4ea1014

SHA512
24f7ab8e933f2202af3a5d55c5c04465eb151679f5a0bd8b6f23e2423b4d436374bb3207c1d172615f1d966a22da41b88476511e4441fe5c2b915b53f6c624a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
02cf1313b32a8ab2f031cee39bee8fc3

SHA1
861cc0ab9ff881460dd6433e37075b822aac9355

SHA256
7e7fd13903a8d57f314d9e7dab6fa28975050b63f045eb315e96cccaa17d1e61

SHA512
f5464c94391bfb590f6755c2ae6896dd459a2a93d778601caebf272438c2ff127ec5de81dcf8efeec65a56609558477afc7be1c4993977a18fde7b915f7a8700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8165d331a65e980c7f75dba657342854

SHA1
44967c0388744de38b07e07e3a9cb174854eb7bf

SHA256
08d7b1fa1c3cdacb73cb9b34bb51a0516bfeac2f10ec54f2f27469d1c97820a9

SHA512
ee23180ed03c5042d6e6343ac2181a6d9ffbbb775e1031222e46b4a61eca4f1caf2dab50269271a07b284e270195595c91ce8c43d4cef77c8873845216546e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
a7746999f724961ab727817a88ce0349

SHA1
297a68d075dabbc9492539645126756a644c4e33

SHA256
dab1efccbc700f22bc871e5e948493f18001a98200ffbcce26ffbb0d77d3b42d

SHA512
231d694f835b5f107445ba7dddda64cec60b989bb18172d9c43a9836257ffe5a165bdf56500614b5d010c592d037bedb6b21f728e43da40b0b699960220efc4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\21c975df-9632-4d8c-9eee-61b8a238db37.tmp

Filesize
21KB

MD5
f9abbb1e4b84a8326cd71a620585914b

SHA1
21d09b15cb9bc36aeb28bb079e7defab21566e6c

SHA256
d65c2b5b16ab615edbbfc1f85254f4b0adca5b87cd7a7218ec171dd1ad610757

SHA512
91a370d8787e81124c499ddbdbf14a1bacd52694ecf4038278b7c5cdb62c90fad3ad4f42c1025f955c563ea3db980eef3681eb19cce1c9c0caf7741ce637d5f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b8

Filesize
216KB

MD5
50a7159ff34dea151d624f07e6cb1664

SHA1
e13fe30db96dcee328efda5cc78757b6e5b9339c

SHA256
e990d9d31c4c7d57dd4795e43baea05501fb6ea8b7760f89001be660425dd01b

SHA512
a7768dd7e315b07754a305080e0fc023765e5a224b2c3824e8e10f29286df63bbdefef379e069941fd8cd9c7c3befce976779ae2efdfb6e7da697b09d7f07250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
d6583e7197eab35586609a320b473c0f

SHA1
c9995c2063a7647c32910cb7ddd430f6c9f2c1f7

SHA256
189f095f42ed9420ed825fbf29889457b2006cf4e57c22b001a1739082d60356

SHA512
75fab5f9a29923fcaace3c8fa69918b5f8fb908e33a03194c268cfd41864ece87fb948b5a4a73cc38e782398e5c9f55cdf81287026f81c1f4080e31ac8516f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57abff.TMP

Filesize
3KB

MD5
382d816cf26420b566a1cbaafffc3456

SHA1
8dfdc933d01dc165687202c2d698bc3e6cd65b8e

SHA256
e6f157d1048e46e3a15d031a65435ff5b5274ac6a4a9127637a1c78d9288cfd7

SHA512
92cd4e2e0d5daac88cd547e2a280a8bf2c7f19bda2e847d45c400f52165687d725731cb5b12110725dfe0959fe0297ff2615c3c27db1c21c692a69a283bafbab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
22KB

MD5
966a4ccd22bab61417224700cdea60b2

SHA1
3d96f6284901a9e281038a460c1be1a7957a64c3

SHA256
6652187ae8a822ad660fd0e4cc4463d041aa4dbbb8321a3307e2727e161b0dfd

SHA512
1c51ad1f06a1f32bdc5eebd6d58ab565251701947b8874a075d25cfbd593b7fa79f226e9d48d4bc97394e3ba7edca1567c67c628aeb49616bb90f1a6eea6a649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
ba9547e0d6d457d0ea8f9bd9fbc03910

SHA1
f5e57200197c6910880fc326a9ab0684978193ba

SHA256
b0a4e93941e557a1b1fdf155bb0222aeb10ac90bf86798ea7e5949669be97e7f

SHA512
b285a5d20ccfdc185063ccae40c4d53db1e884e7bc5a4fe063b53386c64c2b42a4cfad8558c783d92b720701497c2b4716086e9ced950cc808e239f2d458048f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
4175a91f3ce350b6aabb9a6e7bdc82a1

SHA1
d6a30b180aa8430e985bef278bd6392449a347c9

SHA256
2119149e8ecbdee2c23dbd59030e8a6a02b9d7210dbaf6ff8d5d6768ff211f21

SHA512
cbe650bbbac8a867445836e742c3823dd37e60e24d6c3fbf672125d18dab86f4a86a610d76ebb9bbadb16e36c6b5ea4f4569a13d9bc2c2d79a52bcc276d03445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
96e8e9207ddee608bbb765c8c19366ca

SHA1
e5750fd8d34fc7012ddb2b72ba94646431514c6e

SHA256
0f1e385210e058ccc4b26c3cfec4f90d830afb4e196a9be824a5ac08d78740bb

SHA512
7e51b1703e11c3b75124cd36789cd07b9f45ea5a689bd0f50f2ba505a0cbe13c902a7c59acdc61fb2b58a0fbdf45d9991e88327d05e3389075f42da33e4be80a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
fe1542227e1101ba4f41095dcd654fef

SHA1
c9eeb7b082c10777e0bc0af27da53af16e9cc550

SHA256
a849daf0a41a21c6267ae25b6695f365d63f5a019f9ec84f8d235c970eed1d43

SHA512
0d36c044a25b0a7bd490132a4945313127029049f025035ab12e1f430f5fe6cef19d1183667e99e21de2bb09f1b61e59901fc9f79d7c8a43f6c8fc3ba0ffcf1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57abef.TMP

Filesize
48B

MD5
4b423758e31eabaed4bef570e5618a14

SHA1
ce6dca9aacc6b0d8b081cec032d91cfe09d41db1

SHA256
27afd9d27bde6bf93e4363bdcdb3b5e075dc0ac25592e884c87114e7163285be

SHA512
18e10011721b5dafddd124e7154e53b04ed05a2869d6b9388cea68d25951eb5a60dcdbcc582e34a4008ab7bae87ce02d47eb6e6b88bca0a3ebf0035d2050d755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
d2c1ef2fec77c243fc01a7e40d97ca14

SHA1
49dfc13e3f0757c9146ee8629fa6cd923c98e603

SHA256
579cc36b44a31cc109ee0d08905f1472638e99e5628d16938ecf5b9a73d49fec

SHA512
a7b7b5e7604c08fa637b87e25f38f77e1f2bb6f734f830381f2d3a47e2374c9d182bcd39ff984701a1f3620a0f6f873ff3f5a078f5b4fa4c4181a545563dcfba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
d709d54c490b2382ee51fc5893c4b9c2

SHA1
a00ed2c7a689762c8535509aaef9d8ebdb391929

SHA256
d9828b37efc41277fedf8dfdc57f800285a96638a48cf01b33b9b7b92bd9421c

SHA512
f8d8f7fa95d5733423e6cbe3bcb220c3480fd20b85c24116467869c12bd6b06474b17f25f9408a8c9b4932cc2a089876ccf797fcdde8c0f0b0c0a667d51bfc92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
37KB

MD5
00969a0d14eaca2066c70327bcf1a28a

SHA1
a799719f9e24d07e2868fede0c9dc946f0a7f585

SHA256
252fee0feb405c7d6702f68626bab878380b420c0a2b987f5b877680b230c7e7

SHA512
d98b51e0a4eed36a33fac7a52b6f2b592058077bced56cbfd5683031f54c37072cdbe41a6fee9d1acf0e189bc911dfab869cc53f34765b36bad7ba9ab4f0583f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
fde5a1016da21a77f6ad226d1147f019

SHA1
8fc2923469182bb5a242ddd0a092e02c1d98b47c

SHA256
a582e14e8b58945780b778adb56d1843cd62856d839717ea7c381181558a608d

SHA512
1a535c6794983e7953a0a67cae9eb8ac7eb6983d6fffe2f452490025cb84ca9bd4fe159a025553cf396b47ce43ab3298b91432e7b6a2e2b8a2a9d52f8aad26ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\00ef0609-803e-4df8-8722-33f9b439fd6f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdeevb5t.2dz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d76855aa-70dc-451f-9617-753bc898e38a.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1072_1127882271\f9a0093c-7d68-4194-9768-fb5bd7889127.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\Desktop\insatller.exe

Filesize
78KB

MD5
0a168387794c114bb7df52e3fe7cb356

SHA1
51abc37a778ef2a17a6f319735cb6d030ba06659

SHA256
506c2077992b25ea91cc711f6147dbb17db6f7d039f9b7ee821a69c24bf38db1

SHA512
f81072a7d86bc05da77a7442df375e6decb5b6a6224dd7149d045297c52862d1ae4257274b1bea770085ab64f39fcca54c055f60cfb10a3b4272cfce00e73f29

Download Submit
C:\Users\Admin\Downloads\SETUP.zip:Zone.Identifier

Filesize
309B

MD5
7f46bf31b5ec3ff313cc7a54290e8fff

SHA1
52ee366d590dbabe65f5098e296ce8ac612a50ba

SHA256
dc9d7128e980487e4489623f8fc2e55c58ae233d22d3d299c8cc458b694fafef

SHA512
92af209e0128643ca8cc64bb62c1a4c6acd2312860c8793c97851e0f2582a31457a1005e2c499b557497ee12f25a3f98f890f0c86908f1c6dbc192a7a54278d1

Download Submit
memory/468-1057-0x00007FF9A9E70000-0x00007FF9A9E80000-memory.dmp

Filesize
64KB

Download
memory/468-1056-0x0000023A43C70000-0x0000023A43C9A000-memory.dmp

Filesize
168KB

Download
memory/628-1048-0x00007FF9A9E70000-0x00007FF9A9E80000-memory.dmp

Filesize
64KB

Download
memory/628-1047-0x000001CB3DF20000-0x000001CB3DF4A000-memory.dmp

Filesize
168KB

Download
memory/628-1046-0x000001CB3DEF0000-0x000001CB3DF13000-memory.dmp

Filesize
140KB

Download
memory/688-1051-0x0000025599FD0000-0x0000025599FFA000-memory.dmp

Filesize
168KB

Download
memory/688-1052-0x00007FF9A9E70000-0x00007FF9A9E80000-memory.dmp

Filesize
64KB

Download
memory/2172-1083-0x0000000001BF0000-0x0000000001C1A000-memory.dmp

Filesize
168KB

Download
memory/2172-1084-0x00007FF9A9E70000-0x00007FF9A9E80000-memory.dmp

Filesize
64KB

Download
memory/2572-1093-0x00007FF9A9E70000-0x00007FF9A9E80000-memory.dmp

Filesize
64KB

Download
memory/2572-1092-0x000001F900030000-0x000001F90005A000-memory.dmp

Filesize
168KB

Download
memory/2868-1044-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2868-1041-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2868-1042-0x00007FF9E9DE0000-0x00007FF9E9FE9000-memory.dmp

Filesize
2.0MB

Download
memory/2868-1043-0x00007FF9E8CE0000-0x00007FF9E8D9D000-memory.dmp

Filesize
756KB

Download
memory/2868-1040-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2908-1100-0x00007FF9A9E70000-0x00007FF9A9E80000-memory.dmp

Filesize
64KB

Download
memory/2908-1099-0x000001E091990000-0x000001E0919BA000-memory.dmp

Filesize
168KB

Download
memory/3680-1028-0x00000253DC410000-0x00000253DC5D2000-memory.dmp

Filesize
1.8MB

Download
memory/3680-1029-0x00000253DD4C0000-0x00000253DD9E8000-memory.dmp

Filesize
5.2MB

Download
memory/3680-1027-0x00000253C1D30000-0x00000253C1D48000-memory.dmp

Filesize
96KB

Download
memory/4624-1329-0x000001FF7C3A0000-0x000001FF7C3C2000-memory.dmp

Filesize
136KB

Download
memory/5612-1037-0x000001EBC7E20000-0x000001EBC7E5E000-memory.dmp

Filesize
248KB

Download
memory/5612-1033-0x000001EBC8B30000-0x000001EBC8BDA000-memory.dmp

Filesize
680KB

Download
memory/5612-1038-0x00007FF9E9DE0000-0x00007FF9E9FE9000-memory.dmp

Filesize
2.0MB

Download
memory/5612-1039-0x00007FF9E8CE0000-0x00007FF9E8D9D000-memory.dmp

Filesize
756KB

Download