amadey | 390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
24-07-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
Size

284KB
MD5

57a35eb5298b9bec9cd7ffc3fb8204f7
SHA1

93381d2f35df4d54134db07167c2eee616a2d3e9
SHA256

390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48
SHA512

aa1381e1c1fc1003a1996a308940b816662a8560537205547e92f38ea7c70432bdd6e5ad86d8f9732258c33c4a14fac764882b64633d58ca9819ccf54ab93f8a
SSDEEP

6144:LmN7+89JLs1wUPSPB1JEMj5OmAA7kaSbT:Lyi89JWwUPSbD5CP

Malware Config

Extracted

Family

stealc

Botnet

sila

http://85.28.47.31

Attributes

url_path
/5499d72b3a3e55be.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

QLL

http://85.28.47.70

Attributes

url_path
/744f169d372be841.php

Extracted

Family

redline

Botnet

1307newbild

185.215.113.67:40960

Extracted

Family

redline

Botnet

LiveTraffic

20.52.165.210:39030

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Monster Stealer. 3 IoCs

resource	yara_rule
behavioral2/files/0x000100000002ab55-948.dat	family_monster
behavioral2/memory/6580-1210-0x00007FF77F900000-0x00007FF780B3E000-memory.dmp	family_monster
behavioral2/memory/6580-1223-0x00007FF77F900000-0x00007FF780B3E000-memory.dmp	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000100000002ab8f-1010.dat	family_redline
behavioral2/memory/2228-1023-0x0000000000200000-0x0000000000250000-memory.dmp	family_redline
behavioral2/memory/5936-1127-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 6244 created 3252	6244	Blsvr.exe	53
PID 6244 created 3252	6244	Blsvr.exe	53
PID 6244 created 3252	6244	Blsvr.exe	53

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AdminAECAECFCAA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RoamingHDGDHCGCBK.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
111	3628	28a9b8a15d.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4804	netsh.exe
5380	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AdminAECAECFCAA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RoamingHDGDHCGCBK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RoamingHDGDHCGCBK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AdminAECAECFCAA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3500	cmd.exe
4072	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.exe	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.exe	OneDrive.exe

Executes dropped EXE 30 IoCs

pid	Process
1244	AdminAECAECFCAA.exe
2588	AdminFHJEGIIEGI.exe
6920	explorti.exe
5996	RoamingHDGDHCGCBK.exe
6692	axplong.exe
4780	explorti.exe
3628	28a9b8a15d.exe
400	Files.exe
7048	VFxQzH3nDX.exe
5828	jqEDXCaiTc.exe
7100	judit1.exe
6580	stub.exe
4700	54gtxx.exe
2228	newstart.exe
4320	gold.exe
1296	acev.exe
1104	newwork.exe
1404	Hkbsse.exe
6572	2.exe
5836	axplong.exe
5872	Hkbsse.exe
5736	explorti.exe
1256	RobloxPlayerInstaller.exe
5568	lobo.exe
5132	OneDrive.exe
5768	OneDrive.exe
6244	Blsvr.exe
4212	axplong.exe
5308	Hkbsse.exe
5020	explorti.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine	AdminAECAECFCAA.exe
Key opened	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine	RoamingHDGDHCGCBK.exe
Key opened	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine	axplong.exe

Loads dropped DLL 57 IoCs

pid	Process
1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
6580	stub.exe
1296	acev.exe
4516	RegAsm.exe
4516	RegAsm.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe
5768	OneDrive.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Microsoft\Windows\CurrentVersion\Run\28a9b8a15d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021001\\28a9b8a15d.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
133	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5592	cmd.exe
228	ARP.EXE

Power Settings 1 TTPs 5 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5904	powercfg.exe
6640	powercfg.exe
1672	powercfg.exe
5532	cmd.exe
1228	powercfg.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2348	tasklist.exe
5028	tasklist.exe
6948	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6348	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1244	AdminAECAECFCAA.exe
6920	explorti.exe
5996	RoamingHDGDHCGCBK.exe
6692	axplong.exe
5836	axplong.exe
5736	explorti.exe
4212	axplong.exe
5020	explorti.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 6920 set thread context of 4780	6920	explorti.exe	129
PID 400 set thread context of 6960	400	Files.exe	136
PID 4700 set thread context of 4516	4700	54gtxx.exe	167
PID 4320 set thread context of 5936	4320	gold.exe	190
PID 1296 set thread context of 5776	1296	acev.exe	197
PID 6244 set thread context of 3124	6244	Blsvr.exe	259

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	RoamingHDGDHCGCBK.exe
File created	C:\Windows\Tasks\Hkbsse.job	newwork.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Tasks\explorti.job	AdminAECAECFCAA.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5780	sc.exe
3424	sc.exe
6096	sc.exe
1452	sc.exe
7116	sc.exe
1588	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000900000002ab55-1315.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x000100000002ab79-966.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5212	1576	WerFault.exe	81
3824	3628	WerFault.exe	130
3556	6572	WerFault.exe	230
3976	5568	WerFault.exe	237

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newwork.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VFxQzH3nDX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminAECAECFCAA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminFHJEGIIEGI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingHDGDHCGCBK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28a9b8a15d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Files.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54gtxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lobo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jqEDXCaiTc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newstart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6852	cmd.exe
1588	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1508	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
6016	WMIC.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6460	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1508	NETSTAT.EXE
3064	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5144	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3664	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
1244	AdminAECAECFCAA.exe
1244	AdminAECAECFCAA.exe
1260	msedge.exe
1260	msedge.exe
3448	msedge.exe
3448	msedge.exe
2108	chrome.exe
2108	chrome.exe
1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
6920	explorti.exe
6920	explorti.exe
5996	RoamingHDGDHCGCBK.exe
5996	RoamingHDGDHCGCBK.exe
6692	axplong.exe
6692	axplong.exe
6548	identity_helper.exe
6548	identity_helper.exe
2588	msedge.exe
2588	msedge.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
5828	jqEDXCaiTc.exe
7048	VFxQzH3nDX.exe
7048	VFxQzH3nDX.exe
7048	VFxQzH3nDX.exe
7048	VFxQzH3nDX.exe
7048	VFxQzH3nDX.exe
7048	VFxQzH3nDX.exe
7048	VFxQzH3nDX.exe
7048	VFxQzH3nDX.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
2108	chrome.exe
2108	chrome.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeDebugPrivilege	716	firefox.exe
Token: SeDebugPrivilege	716	firefox.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeDebugPrivilege	5828	jqEDXCaiTc.exe
Token: SeDebugPrivilege	7048	VFxQzH3nDX.exe
Token: SeBackupPrivilege	7048	VFxQzH3nDX.exe
Token: SeBackupPrivilege	5828	jqEDXCaiTc.exe
Token: SeSecurityPrivilege	5828	jqEDXCaiTc.exe
Token: SeSecurityPrivilege	5828	jqEDXCaiTc.exe
Token: SeSecurityPrivilege	5828	jqEDXCaiTc.exe
Token: SeSecurityPrivilege	5828	jqEDXCaiTc.exe
Token: SeSecurityPrivilege	7048	VFxQzH3nDX.exe
Token: SeSecurityPrivilege	7048	VFxQzH3nDX.exe
Token: SeSecurityPrivilege	7048	VFxQzH3nDX.exe
Token: SeSecurityPrivilege	7048	VFxQzH3nDX.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeIncreaseQuotaPrivilege	7044	WMIC.exe
Token: SeSecurityPrivilege	7044	WMIC.exe
Token: SeTakeOwnershipPrivilege	7044	WMIC.exe
Token: SeLoadDriverPrivilege	7044	WMIC.exe
Token: SeSystemProfilePrivilege	7044	WMIC.exe
Token: SeSystemtimePrivilege	7044	WMIC.exe
Token: SeProfSingleProcessPrivilege	7044	WMIC.exe
Token: SeIncBasePriorityPrivilege	7044	WMIC.exe
Token: SeCreatePagefilePrivilege	7044	WMIC.exe
Token: SeBackupPrivilege	7044	WMIC.exe
Token: SeRestorePrivilege	7044	WMIC.exe
Token: SeShutdownPrivilege	7044	WMIC.exe
Token: SeDebugPrivilege	7044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7044	WMIC.exe
Token: SeRemoteShutdownPrivilege	7044	WMIC.exe
Token: SeUndockPrivilege	7044	WMIC.exe
Token: SeManageVolumePrivilege	7044	WMIC.exe
Token: 33	7044	WMIC.exe
Token: 34	7044	WMIC.exe
Token: 35	7044	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
716	firefox.exe
716	firefox.exe
716	firefox.exe
716	firefox.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
716	firefox.exe
716	firefox.exe
716	firefox.exe
716	firefox.exe
716	firefox.exe
716	firefox.exe
716	firefox.exe
716	firefox.exe
716	firefox.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe
3124	conhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
716	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 3812	1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe	82
PID 1576 wrote to memory of 3812	1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe	82
PID 1576 wrote to memory of 3812	1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe	82
PID 1576 wrote to memory of 3896	1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe	84
PID 1576 wrote to memory of 3896	1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe	84
PID 1576 wrote to memory of 3896	1576	390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe	84
PID 3812 wrote to memory of 1244	3812	cmd.exe	86
PID 3812 wrote to memory of 1244	3812	cmd.exe	86
PID 3812 wrote to memory of 1244	3812	cmd.exe	86
PID 3896 wrote to memory of 2588	3896	cmd.exe	87
PID 3896 wrote to memory of 2588	3896	cmd.exe	87
PID 3896 wrote to memory of 2588	3896	cmd.exe	87
PID 2588 wrote to memory of 1036	2588	AdminFHJEGIIEGI.exe	88
PID 2588 wrote to memory of 1036	2588	AdminFHJEGIIEGI.exe	88
PID 1036 wrote to memory of 2108	1036	cmd.exe	92
PID 1036 wrote to memory of 2108	1036	cmd.exe	92
PID 1036 wrote to memory of 3448	1036	cmd.exe	93
PID 1036 wrote to memory of 3448	1036	cmd.exe	93
PID 1036 wrote to memory of 1384	1036	cmd.exe	94
PID 1036 wrote to memory of 1384	1036	cmd.exe	94
PID 2108 wrote to memory of 2184	2108	chrome.exe	95
PID 2108 wrote to memory of 2184	2108	chrome.exe	95
PID 3448 wrote to memory of 4940	3448	msedge.exe	96
PID 3448 wrote to memory of 4940	3448	msedge.exe	96
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 1384 wrote to memory of 716	1384	firefox.exe	97
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98
PID 716 wrote to memory of 4644	716	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5412	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3252
- C:\Users\Admin\AppData\Local\Temp\390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe
  "C:\Users\Admin\AppData\Local\Temp\390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAECAECFCAA.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Users\AdminAECAECFCAA.exe
      "C:\Users\AdminAECAECFCAA.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6920
      - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4780
      - C:\Users\Admin\AppData\Local\Temp\1000021001\28a9b8a15d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000021001\28a9b8a15d.exe"
        6⤵
        Blocklisted process makes network request
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1140
        7⤵
        Program crash
        
        PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFHJEGIIEGI.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Users\AdminFHJEGIIEGI.exe
      "C:\Users\AdminFHJEGIIEGI.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FBE4.tmp\FBE5.tmp\FBE6.bat C:\Users\AdminFHJEGIIEGI.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
        6⤵
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb56d9cc40,0x7ffb56d9cc4c,0x7ffb56d9cc58
        7⤵
        
        PID:2184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,5358553705560001368,15046590765792183352,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1816 /prefetch:2
        7⤵
        
        PID:2956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,5358553705560001368,15046590765792183352,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2108 /prefetch:3
        7⤵
        
        PID:4808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,5358553705560001368,15046590765792183352,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2452 /prefetch:8
        7⤵
        
        PID:1680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,5358553705560001368,15046590765792183352,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3140 /prefetch:1
        7⤵
        
        PID:5380
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,5358553705560001368,15046590765792183352,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3316 /prefetch:1
        7⤵
        
        PID:5436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffb56c53cb8,0x7ffb56c53cc8,0x7ffb56c53cd8
        7⤵
        
        PID:4940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2060 /prefetch:2
        7⤵
        
        PID:4484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:8
        7⤵
        
        PID:1488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
        7⤵
        
        PID:1360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
        7⤵
        
        PID:3096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
        7⤵
        
        PID:6860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
        7⤵
        
        PID:5212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
        7⤵
        
        PID:6952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
        7⤵
        
        PID:6500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5671755126057211405,13689453910439115585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
        7⤵
        
        PID:6864
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1872 -prefsLen 25673 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bdfc071-50a4-4487-adbc-aff5dc25b768} 716 "\\.\pipe\gecko-crash-server-pipe.716" gpu
        8⤵
        
        PID:4644
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 26593 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4296d7a1-5c02-44f6-bfdc-84698235c961} 716 "\\.\pipe\gecko-crash-server-pipe.716" socket
        8⤵
        
        PID:3500
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2928 -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2932 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aa1dece-14fe-40fa-8bc8-a3f172275677} 716 "\\.\pipe\gecko-crash-server-pipe.716" tab
        8⤵
        
        PID:5356
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -childID 2 -isForBrowser -prefsHandle 2988 -prefMapHandle 2796 -prefsLen 31083 -prefMapSize 244628 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e47acd48-4e16-4e4f-8202-bcaa9fb98753} 716 "\\.\pipe\gecko-crash-server-pipe.716" tab
        8⤵
        
        PID:5696
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4256 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4144 -prefMapHandle 1712 -prefsLen 31083 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7967621d-479c-4e40-bc4e-ce8c922b614b} 716 "\\.\pipe\gecko-crash-server-pipe.716" utility
        8⤵
        Checks processor information in registry
        
        PID:6200
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 3 -isForBrowser -prefsHandle 5516 -prefMapHandle 5540 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35372c37-0825-4a45-9e3f-c7b0e238d4c2} 716 "\\.\pipe\gecko-crash-server-pipe.716" tab
        8⤵
        
        PID:5736
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 4 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6f6e7b2-ba09-47de-822f-6bf4afaa4973} 716 "\\.\pipe\gecko-crash-server-pipe.716" tab
        8⤵
        
        PID:5792
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5868 -prefMapHandle 5872 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0410462f-f87a-440f-9112-df66974d0494} 716 "\\.\pipe\gecko-crash-server-pipe.716" tab
        8⤵
        
        PID:6156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingHDGDHCGCBK.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6604
  - - C:\Users\Admin\AppData\RoamingHDGDHCGCBK.exe
      "C:\Users\Admin\AppData\RoamingHDGDHCGCBK.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5996
    - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6692
      - C:\Users\Admin\AppData\Local\Temp\1000160001\Files.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000160001\Files.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Users\Admin\AppData\Roaming\VFxQzH3nDX.exe
        
        "C:\Users\Admin\AppData\Roaming\VFxQzH3nDX.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7048
        
        C:\Users\Admin\AppData\Roaming\jqEDXCaiTc.exe
        
        "C:\Users\Admin\AppData\Roaming\jqEDXCaiTc.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5828
      - C:\Users\Admin\AppData\Local\Temp\1000193001\judit1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000193001\judit1.exe"
        6⤵
        Executes dropped EXE
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000193001\judit1.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:6368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:7016
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        8⤵
        
        PID:7028
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        
        PID:2348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        8⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:6348
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        9⤵
        Views/modifies file attributes
        
        PID:5412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        8⤵
        
        PID:1068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        8⤵
        
        PID:1616
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:3664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:3468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        
        PID:5028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        8⤵
        Clipboard Data
        
        PID:3500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        9⤵
        Clipboard Data
        
        PID:4072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        8⤵
        
        PID:2004
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        8⤵
        
        PID:3628
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:1408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        8⤵
        Network Service Discovery
        
        PID:5592
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        9⤵
        Gathers system information
        
        PID:5144
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        9⤵
        
        PID:6988
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        9⤵
        Collects information from the system
        
        PID:6016
        
        C:\Windows\system32\net.exe
        
        net user
        9⤵
        
        PID:5408
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        10⤵
        
        PID:6348
        
        C:\Windows\system32\query.exe
        
        query user
        9⤵
        
        PID:1068
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        10⤵
        
        PID:5412
        
        C:\Windows\system32\net.exe
        
        net localgroup
        9⤵
        
        PID:1256
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        10⤵
        
        PID:6964
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        9⤵
        
        PID:760
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        10⤵
        
        PID:1520
        
        C:\Windows\system32\net.exe
        
        net user guest
        9⤵
        
        PID:2564
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        10⤵
        
        PID:7060
        
        C:\Windows\system32\net.exe
        
        net user administrator
        9⤵
        
        PID:1164
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        10⤵
        
        PID:2624
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        9⤵
        
        PID:1704
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        9⤵
        Enumerates processes with tasklist
        
        PID:6948
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        9⤵
        Gathers network information
        
        PID:3064
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        9⤵
        
        PID:1760
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        9⤵
        Network Service Discovery
        
        PID:228
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        9⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1508
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        9⤵
        Launches sc.exe
        
        PID:1452
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4804
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6852
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:1548
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:6908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:6976
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:5448
      - C:\Users\Admin\AppData\Local\Temp\1000202001\54gtxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000202001\54gtxx.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4516
      - C:\Users\Admin\AppData\Local\Temp\1000240001\newstart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000240001\newstart.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
      - C:\Users\Admin\AppData\Local\Temp\1000259001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000259001\gold.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
      - C:\Users\Admin\AppData\Local\Temp\1000304001\acev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000304001\acev.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
      - C:\Users\Admin\AppData\Local\Temp\1000313001\newwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000313001\newwork.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\9b26cd18f9\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9b26cd18f9\Hkbsse.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\1000007001\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\2.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:6572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 384
        9⤵
        Program crash
        
        PID:3556
      - C:\Users\Admin\AppData\Local\Temp\1000339001\RobloxPlayerInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000339001\RobloxPlayerInstaller.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 10 & exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 10
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6460
      - C:\Users\Admin\AppData\Local\Temp\1000340001\lobo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000340001\lobo.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 508
        7⤵
        Program crash
        
        PID:3976
      - C:\Users\Admin\AppData\Local\Temp\1000343001\OneDrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000343001\OneDrive.exe"
        6⤵
        Executes dropped EXE
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\1000343001\OneDrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000343001\OneDrive.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_MEI51322\Blsvr.exe
        8⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\_MEI51322\Blsvr.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI51322\Blsvr.exe
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 2592
    3⤵
    - Program crash
    PID:5212
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2736
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7116
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1588
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5780
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3424
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:6096
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5532
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1228
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:5904
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:6640
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1672
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Suspicious use of SendNotifyMessage
  PID:3124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4320

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1576 -ip 1576
1⤵
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3628 -ip 3628
1⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5836

C:\Users\Admin\AppData\Local\Temp\9b26cd18f9\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\9b26cd18f9\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5872

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6572 -ip 6572
1⤵
PID:6800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5568 -ip 5568
1⤵
PID:6588

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4212

C:\Users\Admin\AppData\Local\Temp\9b26cd18f9\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\9b26cd18f9\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5308

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DHJDAKEGDBFHCAAKJJJDAEHCAA

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\AdminAECAECFCAA.exe

Filesize
1.8MB

MD5
8dca8723b206c803e7ace213df89b4f4

SHA1
b5f6752c09e63f2278e423b3f93e4eeacf6f4cc4

SHA256
cc4cb57e8b5ba707022bc49e86bf7c26c645cbf3c838cca83e36fb290ced2ab0

SHA512
a7928871c726cc5e04b4f55168731cbea6c8bb2c5cbf2ab89f72f4f51d26317bf1a9a2555b1b8b8d60053c646c7d0a908afc625965950afe7d4852007df38ef5

Download Submit
C:\Users\AdminFHJEGIIEGI.exe

Filesize
89KB

MD5
a5e070181a6cd03264427e255b7cad97

SHA1
3117a3c6e86290479bb3d008b826ba28f49ec0be

SHA256
b379d421f4c115469200325905c7b785a6d6d1e0cb6492cbff65113e68db45a7

SHA512
c9c4ad2114ebaec5e9d18b34b5771a53c0fd5be0035404242ea21d56e18d78097189e357d44e97f00c8a38f6aca81a20878e5daa7f39f79073aeb850855daa2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
504ef77da93e87b63f867a4f3b022fa5

SHA1
965b23a560c2a5853c72ccceae2de4276e154c66

SHA256
9c9a26efdc06098b0c51c68d66da025c50a38aa233d7d19f0a7ed14cb0fbfb34

SHA512
bbe7ed6f577dc34ee61c538ca272cb129adb60b675cc1756984084b56dd31ab37958a2c756508874e17b3bc7333db21fe90b66414437ea7184ac8d6d66f7c878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
d9cc13b47a9edbf6d4184be963e37204

SHA1
c58e0f7c9f8d7b0a7d8dbd9a88c0f78ebc2c7522

SHA256
b551027fe22a355db51fb5807da80caaa537e207c2e9805b8733d575a323c940

SHA512
f208ce1468795dcf18c113e515b8e3eff87c6f7b979c460556f4a99c19b3315489addd7600582361420b7ef2d3f7b7e493735d7a8a94932e9d443035dd5f7ad1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8fb008536f770178264e4c1d1f145e32

SHA1
20f3aabfee2e79f0fd22072c56dcf7b003479e34

SHA256
199479024f8a53de16e1d0e1ea9e3787d8aa7f79fa3387aa72dc19645d28567e

SHA512
2d41329b488fabde48fc155e254ff484a5a60eefb1df53fd2baae361814ee7dbc2f175e06faa89c5fea4d26536ad19b6ee23afcee282a72144d5a61b57d2bb42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
5631b51a9c25a032d04d91f753e00195

SHA1
f16901387fbc9001f84654b93247329b1975ad0b

SHA256
fbd7a2a624996e73683e51b9818f827e2b5030c9e195fe5bddf072f4253fdd22

SHA512
ca2c369a71aff5c679ce4794131f429be18e19fd59eb40982de95fa414666116e20d3303c6fd3f10db72aed0126ca59b6a42e66200eaa305691503adcbe97db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4656c526f71d2c1122865ef7c6af3ff5

SHA1
61684265064c225f323d304931ff7764f5700ac2

SHA256
7172417b8464d5c2f52edfc867f4d83e475b58fd316b1916cdde30ed5bdde80e

SHA512
c3e4fc0baa216ef561a448e42378af01a50e0ebd9b5fe554c9af0ea3362b9ca2f4a1b99cfab66c18df085250dd7a5ca1b01ab256e28156d657c579f5518aa56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bc5eae38782879246edf98418132e890

SHA1
46aa7cc473f743c270ed2dc21841ddc6fc468c30

SHA256
b9dd7185c7678a25210a40f5a8cac3d048f7774042d93380bbbd1abb94d810d7

SHA512
73680b22df232f30faa64f485a4c2f340ba236b5918915866f84053f06532b0a722c4ee8038af3689ac04db41277c7852f7a11a0a15833ef66bcc046ee28afb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
38KB

MD5
a5156555f80cc19c341bf5e5ffce1e56

SHA1
b35d25bb3d60afa06154be920f643697705ab82b

SHA256
f30f5ed466b725d1c1be22dfe6d76d3f4518a4c44757f202a1f70514171f24c1

SHA512
0f29f3e58b35eedb4a4b150baa21a319c5253e846250d2f79356b84d3fe7f7ce51714daf68f564b58ea52b8bbad1b7c1681e53e21b20f9235210d9d874a8397b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
765015f2da8c57cc2fd307002f0d2a18

SHA1
da94c10eccb19ca32f7365dd92469f64b2b7da27

SHA256
a6e0b0c5db0dbd559f1c084f4cf8f75d604784b68c27d326ab91e9044e8ecaf7

SHA512
f918cc99e5c2a51bc3bf9db3fff6056bce22204ae6598a3239f6fb2a80f13eadfcab5753c9d36e6b93b75530be3a1a905c8b4fe5a539dcf9ba9f4b31de1b8d7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
59458faf38e2763012d3d2fdb9c2e15e

SHA1
d00849ad29dc7c022ffc63a2b0d47c48f0d19ed9

SHA256
4a85b14ff80d336e9e18c34eefd89a06c51bf78cc004542bfe7656af6da49a79

SHA512
f5f796375dbf8e1f994f18858f8788aa420c705e27a3e67f88e4c7c24dd465af4a396b4e10e68ac08bd75a42155f787a446a6bb5c42e6feab1192a5aad8235ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0130f5d3996d4b5ce446636e16fe8d96

SHA1
aa2beead7794eedae70fab87782d3297df9abdef

SHA256
7c8a16f677135ca762667be37a4ca8e5a5463497873dc140171d6c15dfb39c0b

SHA512
d6d86ff4e65d7d45cb4c272ecf2590a1e9afa9229fd27a9f25db525b34c0b51dabbc952104cee46d8841abfc070071a37a04ab2f7fd098789bfab9d300b3462f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
453955cc2433880598464b7ad78e0916

SHA1
58627d13e6182e1bd7f52a99e109c1a7e6918283

SHA256
dc4667fd18737c6b3f964908afbeb1e1771f44ea6e53744fc6caa67c08a82754

SHA512
309ac77556323cb46a23087e873da31c559c8350643dfd70283ea2867415aa14ee7c909b86e22a354f2bc8d986dcdff5e780490fd93a2d68a7d7f3006696126d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
194aee2debf1904c42438d7a9b317c8a

SHA1
e0bf2f099e83662834c77bf3eaf2aba366135914

SHA256
8faefc2abc4c464b333fdf23504a51c17714d247728475b3ba7436911faba92c

SHA512
f7c6724225305bbe4e971ccde57a04cfa9e1a623848cc635d10e61bf7333b9c303e6b704f1fb7d4600728c9c1331a3f63ccf60f5665700c654af9fc7c655b8ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2a781805dec567560440dadd1c72a225

SHA1
6e834a063fceeeb4e238c6299529ee1293036b46

SHA256
f31e0db69fb861e4e101835668d64230e24f0b7069047582afead3281b3b26ae

SHA512
1349de1361d6dc3e197b6da8340f37b28990f11bfc1fa6eb51094760aaf86ee3617d043d254855346d2af57518ba97c753831e31905928751a729b6f54c42b62

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
b923d0ef050424b5c3d133c9a8e86c47

SHA1
647a85e62391fcfc74f3f893d122a4a7a74174e6

SHA256
3452dcfca68c47aec3b7b17d920964fdd499e780c5ea6e838fc517f0169e5954

SHA512
273d825abb284179963fc43ddd322bbc786dc4c640b7511c2913f90393fb32b44c331150f5379381bc1fe84ad475a58dd1f243d21289fdbd4363a9d69a24abd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\2.exe

Filesize
266KB

MD5
eeb23fb0aac55797c0b1a3d30146586d

SHA1
b83f89cf4cd335bc1bb387d04319124bc96f200c

SHA256
ba34d9966e42c1ca1f76685fb9abe848d4effe2294346d3538e7ca77d0bba954

SHA512
c9fbb00d2b56cea71774048adf7cd00a7da273086401b8895d891619bac86522f8f855b1d74a9a29ab98cdc2c4fa065dec52883fbd3b84f7e7e3712e93982977

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021001\28a9b8a15d.exe

Filesize
284KB

MD5
57a35eb5298b9bec9cd7ffc3fb8204f7

SHA1
93381d2f35df4d54134db07167c2eee616a2d3e9

SHA256
390163b1882726bbb614ee93e59b727feae9dfec735d4813dca8caf709f65c48

SHA512
aa1381e1c1fc1003a1996a308940b816662a8560537205547e92f38ea7c70432bdd6e5ad86d8f9732258c33c4a14fac764882b64633d58ca9819ccf54ab93f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000160001\Files.exe

Filesize
1.3MB

MD5
90b3832d4da1a85d18c9c515cb01780e

SHA1
57a70473e3046328cdce3da7943d13c1a79fe8c5

SHA256
ba82b9708925f266c292334bc5e20e963c6e20ce134f03f79892fd5c26e645f8

SHA512
3987c88a9a30a0c1b2ca03e784e3c0631f83e5576faa3243787ab2407f1fd0f9302a538e0caccc785d308802eabaf91ded96902cab70be51482513c72cd383e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000193001\judit1.exe

Filesize
10.7MB

MD5
c8cf26425a6ce325035e6da8dfb16c4e

SHA1
31c2b3a26c05b4bf8dea8718d1df13a0c2be22ee

SHA256
9f7be9bf913d8378f094b3f6416db9aa4c80c380000202f7cfaddadb6efc41b4

SHA512
0321e48e185c22165ac6429e08afac1ccfdf393249436c8eac8a6d64794b3b399740aa5b2be23d568f57495d17e9220280ed1c2ea8f012b2c4021beb02cbc646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000202001\54gtxx.exe

Filesize
369KB

MD5
1b1c6f48b7c91a48a0dcd736ed0c8d24

SHA1
78378356bd87ca67da61826074c5737c09c197d3

SHA256
525a892469b4c88bf26e584ecf9a57c1f76aa9dd8e14d3a6840b73f59dbc5cf8

SHA512
108828525faa53156c16c03c2a7a0d87775b7575553fa408eec15692f0205fce7b9f48ff42f76095d15b15de4ec07b1d2145da440cc8237485b7ee3c06885cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000240001\newstart.exe

Filesize
297KB

MD5
a20fc3377c07aa683a47397f9f5ff355

SHA1
13160e27dcea48dc9c5393948b7918cb2fcdd759

SHA256
f7891ca59e0907217db3eeafbe751e2d184317a871450b5ec401217a12df9d33

SHA512
dcdba7203efeea40366375fb54123b11bba972552795c64cbe912bef137698d308ea8e370732e5a65cba5687fbe6095bd53e5e1e49e3a6d8cf6912ebb61da254

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000259001\gold.exe

Filesize
527KB

MD5
3828babaa69c01aa31609e67ac8c1f71

SHA1
97c9185851f81f6d9cffa22105dc858add2768f8

SHA256
a13c3863d0fdb36d18368500bd07167cd058d7b6fb511a9356b2cf99d14ccb48

SHA512
b1baf57c8a90df0142d913e83046e532161c72e894dc5aa46d3368f9e8c6d9a97067def52d07367f5a15dba84a4f6a040c3ef289a819c48d5be5653583a69234

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000304001\acev.exe

Filesize
681KB

MD5
4f5771aa008fb55801a3f9fba7130f69

SHA1
eaace725791c08810198c08907b84b8850d4ef5b

SHA256
447ed0bdf4f8d0479545724b9578d2a3296b6bc5e2162d7ba405276234eccf0d

SHA512
0ce8c4c44338d92f4a5f07f38a93812a85ce5524a4ed0c4e4d616127ea6fe02e94df0938075b4d2dc3eead2fac4a827230b0d2e1333bb51146d92417b1a5bfec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000313001\newwork.exe

Filesize
416KB

MD5
3764897fd08b8427b978fb099c091f71

SHA1
a6abba0f071fbf0d4fa529b773678c6532493164

SHA256
a67f6fa1fa32b492f08ae46e187a143d8b107863df119cdb0759b39446827a68

SHA512
472730a36d32c15b4758c0c6051f27a3e72cf09e7e9d031ca923bb3d098fc7bd05e3acd00e204d41cc9c0b65ddf88cc151e9cb8e6646a73a380499c83ea4bc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000339001\RobloxPlayerInstaller.exe

Filesize
5.6MB

MD5
753df56b82850430b8c7e25aaa93ea66

SHA1
5977fa278c4ab6f2e515efe72f09c85e67ff0590

SHA256
25129518eb2a72e5cee72ab1e567393abed215bb722e4db5d739b1480f1e18f2

SHA512
8e25374af7d513be5b2f6700dc4d07fdeea75e2fc56b32cd0ea6c5117334a02ede3cace39836df64680da92d5231d08c2f08798e9a27f2315496beda37710ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000340001\lobo.exe

Filesize
324KB

MD5
848abdbd09c052799a0e0180b59f6fee

SHA1
2f73b04baf17c3a9f9d21f6f324d64306a10682c

SHA256
1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109

SHA512
eb3a87e787d151915da06f89132d6e5b9b7682a3a69761795180050f42c7fbe8831049ee96410e7b7de5e7c835ceff1e24e84321cccf8d6ed9ba5928bca58203

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000343001\OneDrive.exe

Filesize
12.3MB

MD5
f468ae483026819d6977e2a5e34ea52a

SHA1
bdcd08269c84863eace14dc54d64c6f0af41f332

SHA256
578778fa4d79588a14d0830d4e52dc55aead1ca8bf99c9672cbdaf6c7b58eb5c

SHA512
ea2056f8d41ce4db455f9cacc7ac91919a8b35bb351bafc08f5df9f076b45369917dc06dfc944a83dc3aa99f535a680644f5ea97cfc4eb8dbbccce83d24590bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBE4.tmp\FBE5.tmp\FBE6.bat

Filesize
2KB

MD5
de9423d9c334ba3dba7dc874aa7dbc28

SHA1
bf38b137b8d780b3d6d62aee03c9d3f73770d638

SHA256
a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

SHA512
63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
f918173fbdc6e75c93f64784f2c17050

SHA1
163ef51d4338b01c3bc03d6729f8e90ae39d8f04

SHA256
2c7a31dec06df4eec6b068a0b4b009c8f52ef34ace785c8b584408cb29ce28fd

SHA512
5405d5995e97805e68e91e1f191dc5e7910a7f2ba31619eb64aff54877cbd1b3fa08b7a24b411d095edb21877956976777409d3db58d29da32219bf578ce4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zkqmp3v3.nng.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\stub.exe

Filesize
18.0MB

MD5
1cf17408048317fc82265ed6a1c7893d

SHA1
9bfec40d6eb339c5a6c2ad6e5fa7cebc147654c5

SHA256
1352ad9860a42137b096d9675a7b8d578fbc596d965de3cb352619cbe6aaf4e9

SHA512
66322d7cb5931017acaa29970da48642d03ce35007f130511b2848b67169c1dd4167f1e5a31e5e1dfe5f7122846482bdb878b5cd695ac58009033fd620813a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_7100_133662537471864260\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EDD.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F2D.tmp

Filesize
114KB

MD5
4bee2380ba939265c00a6c00888a5494

SHA1
77d3a6e076e805c0f8c89a609c5482e15ea634a2

SHA256
cfe1d51e9fd7e3ea355dc71b04f1af2b7d6c1fd00b12db634862dea6faa579f6

SHA512
6080033362670874174d80f99640d83fcb0d037e21135f60a68f82b3a226411cbdd49e22ab676beeac9714c5e4461b4c46a44c080c38f3775cf81d85a6c2fbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40DD.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp413E.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp41CC.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\RoamingHDGDHCGCBK.exe

Filesize
1.8MB

MD5
927614bdb1fff68b49468bc4a3886f36

SHA1
e684e796b2d93374c80e94d5b77fdd50c194a0d4

SHA256
30b7b1795af4fa8f43cdf9595f5a266ddfa407e9e3bab55b0684618efc6bbd0d

SHA512
b8c84b98902d8b9b942d8b928a65e7f23465d773f9751f64695e011717ac84257d9d736781c7e9c239ed27b481f1c7fca5a62a2ea3f255797f868e6d7a7829e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

Filesize
12KB

MD5
f012330c52d9002b9bc4988fffa9a3cc

SHA1
84c0e49165ce2f3f032f0cd501482ac81a781523

SHA256
17437e5139a8b4386518b99718a0c90f4b78ef32b31a903e7cbec2069b4e9f75

SHA512
ea453364ac5fd828fdbb994657f8ba1032f94f7dfd56a5340c3f6a14e59ba506b6cd5a9dbe28455cfeac8573a29559f1969c53a0956459c8695399f88612444a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
bb6c6df5549d4313ebf3a751a17aa87e

SHA1
462b8eef264256cca0d68c0892452cd6aaa78f07

SHA256
336e6d6be2759942684c0973d1a5fb651c444258d53ecffc5e96d4d0a81023c5

SHA512
f55b5ffc67a6897f6bb14e546ebdbd132393c311f025de1f88574aaaa294d33710fc9dad8d6ce06ec54b569480cd14f8def254c5cfcb818e55e77369db8c3da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
9f7a7550ca4ede948b0ad5fa5c0fb7f3

SHA1
d44e794177b09058c4cb1e8309b27baefb080d8e

SHA256
83a2a67c52c9bfb3151c64e2e372f774117ec545b5d50570b40b3f098a0c8392

SHA512
95dbda0574c33b7f9211723235d61ef8573b30832b3acb05ee4ebcaab521d4b782e3ea805ecfe7f04bd5263abf41b6c31635ffdb208da92004414467ff974578

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\53e27aca-ccdb-4c75-a554-8aafe4e7ca6d

Filesize
659B

MD5
6bff66c992500469bd2e8e8e88a3edfc

SHA1
05dac0824b02466be1b28551c498208b92afece5

SHA256
7e2e396e7020bf1147914a3976de3da03d8b4dc6b8d231ae557dda1b36be70de

SHA512
ad9500deca145171c7f5d14a3ac71b55b6f4a00246a4d6ade16b771c64936c5af3ac313915994f2df8e54240d99b05f65d1fb85a8c846e72a6be10cad77328ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\d9d75dcd-e8f4-42ad-b706-4e00a0d7d25b

Filesize
982B

MD5
860ea15a33bcd3df13ce918a7a24607d

SHA1
085080d87359185bc51b0faba588eff5c2159901

SHA256
bfd7e8b78771c964742c3982be91c2e3a72c81313a8f41c621fea1bbeeb0112f

SHA512
a8a0a92bfda5abf0e599fd85341f23094a6acc1fc212abe5d15423eccdb77377235d2f363452e5ab4882cdb75fa813b9a92e433a418aba8aa761f2ed83eb533b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

Filesize
11KB

MD5
3df435807988c1f5f3d8a41e42f5ca76

SHA1
97cda83dfaef9152f396906b8d1c9f4d2fca96bf

SHA256
6e939ff2edfe1db4fd77d8836954da372b72bdb55162ba551f5949106f75e4cc

SHA512
15611e5965e71a4edbd219b84e6ba74fd867d3dbeb7f0b0016ef0e087d55ab0c8cc1b0f6ecba2c37dd96ace205683aed1e29860da184027ae554ff0d892d3536

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

Filesize
8KB

MD5
556d1e55b27ca3700863d13b5a75c05a

SHA1
089c0cad99df035d38fb5154e4454f64d5b583f3

SHA256
60f79544cb8922d3e1361f2c3debf26f83e698def30618a76bfd63ac9833f6c5

SHA512
3b0b938fb00e233aaff630ae98448e576aff0b428a74438181c77ac1dc27975ae6ea6c503388ed695a380678e759e9e31337a940518c213895c654131823bbc6

Download Submit
C:\Users\Admin\AppData\Roaming\VFxQzH3nDX.exe

Filesize
381KB

MD5
1b75671fb234ae1fb72406a317fa752a

SHA1
bd47c38b7fb55d013b85c60cd51c8c5ee56f3757

SHA256
499d5830b76daff19e04393ba05f63baa893f8d86ae358fc59365a5938177cbe

SHA512
4c96d2c40862f73314394f48bc9c0930d5c51bfaa389185518c84ac921ceafab0f296df48655a9640d4232265daf67f3b0f4b886bfd31d230e8ec9ed11bbc2f5

Download Submit
C:\Users\Admin\AppData\Roaming\jqEDXCaiTc.exe

Filesize
503KB

MD5
2c2be38fb507206d36dddb3d03096518

SHA1
a16edb81610a080096376d998e5ddc3e4b54bbd6

SHA256
0c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e

SHA512
e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316

Download Submit
memory/1244-387-0x00000000008B0000-0x0000000000D5D000-memory.dmp

Filesize
4.7MB

Download
memory/1244-84-0x00000000008B0000-0x0000000000D5D000-memory.dmp

Filesize
4.7MB

Download
memory/1256-1306-0x0000000005E70000-0x0000000005E78000-memory.dmp

Filesize
32KB

Download
memory/1256-1304-0x00000000018A0000-0x00000000018A8000-memory.dmp

Filesize
32KB

Download
memory/1296-1156-0x0000000005230000-0x0000000005236000-memory.dmp

Filesize
24KB

Download
memory/1296-1152-0x00000000007E0000-0x0000000000890000-memory.dmp

Filesize
704KB

Download
memory/1576-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1576-3-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1576-404-0x0000000000400000-0x000000000245F000-memory.dmp

Filesize
32.4MB

Download
memory/1576-479-0x0000000000400000-0x000000000245F000-memory.dmp

Filesize
32.4MB

Download
memory/1576-480-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1576-2-0x0000000002700000-0x0000000002730000-memory.dmp

Filesize
192KB

Download
memory/1576-1-0x0000000002760000-0x0000000002860000-memory.dmp

Filesize
1024KB

Download
memory/2228-1228-0x0000000006690000-0x00000000066E0000-memory.dmp

Filesize
320KB

Download
memory/2228-1023-0x0000000000200000-0x0000000000250000-memory.dmp

Filesize
320KB

Download
memory/3628-691-0x0000000000400000-0x000000000245F000-memory.dmp

Filesize
32.4MB

Download
memory/4072-1087-0x0000028D06BF0000-0x0000028D06C12000-memory.dmp

Filesize
136KB

Download
memory/4212-1378-0x0000000000150000-0x000000000061A000-memory.dmp

Filesize
4.8MB

Download
memory/4212-1375-0x0000000000150000-0x000000000061A000-memory.dmp

Filesize
4.8MB

Download
memory/4516-996-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4516-995-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4516-1072-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4780-511-0x0000000000F80000-0x000000000142D000-memory.dmp

Filesize
4.7MB

Download
memory/4780-509-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4780-505-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5020-1380-0x0000000000F80000-0x000000000142D000-memory.dmp

Filesize
4.7MB

Download
memory/5020-1376-0x0000000000F80000-0x000000000142D000-memory.dmp

Filesize
4.7MB

Download
memory/5736-1271-0x0000000000F80000-0x000000000142D000-memory.dmp

Filesize
4.7MB

Download
memory/5736-1246-0x0000000000F80000-0x000000000142D000-memory.dmp

Filesize
4.7MB

Download
memory/5776-1162-0x0000000000500000-0x000000000057C000-memory.dmp

Filesize
496KB

Download
memory/5828-712-0x00000000089B0000-0x0000000008FC8000-memory.dmp

Filesize
6.1MB

Download
memory/5828-693-0x0000000000D00000-0x0000000000D84000-memory.dmp

Filesize
528KB

Download
memory/5828-728-0x000000000A100000-0x000000000A2C2000-memory.dmp

Filesize
1.8MB

Download
memory/5828-697-0x0000000005720000-0x000000000572A000-memory.dmp

Filesize
40KB

Download
memory/5828-696-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/5828-729-0x000000000A800000-0x000000000AD2C000-memory.dmp

Filesize
5.2MB

Download
memory/5836-1245-0x0000000000150000-0x000000000061A000-memory.dmp

Filesize
4.8MB

Download
memory/5836-1269-0x0000000000150000-0x000000000061A000-memory.dmp

Filesize
4.8MB

Download
memory/5936-1127-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5996-492-0x0000000000C40000-0x000000000110A000-memory.dmp

Filesize
4.8MB

Download
memory/5996-457-0x0000000000C40000-0x000000000110A000-memory.dmp

Filesize
4.8MB

Download
memory/6572-1267-0x0000000000400000-0x000000000245A000-memory.dmp

Filesize
32.4MB

Download
memory/6580-1223-0x00007FF77F900000-0x00007FF780B3E000-memory.dmp

Filesize
18.2MB

Download
memory/6580-1210-0x00007FF77F900000-0x00007FF780B3E000-memory.dmp

Filesize
18.2MB

Download
memory/6692-897-0x0000000000150000-0x000000000061A000-memory.dmp

Filesize
4.8MB

Download
memory/6692-1244-0x0000000000150000-0x000000000061A000-memory.dmp

Filesize
4.8MB

Download
memory/6692-493-0x0000000000150000-0x000000000061A000-memory.dmp

Filesize
4.8MB

Download
memory/6692-1060-0x0000000000150000-0x000000000061A000-memory.dmp

Filesize
4.8MB

Download
memory/6692-1303-0x0000000000150000-0x000000000061A000-memory.dmp

Filesize
4.8MB

Download
memory/6692-1243-0x0000000000150000-0x000000000061A000-memory.dmp

Filesize
4.8MB

Download
memory/6920-1302-0x0000000000F80000-0x000000000142D000-memory.dmp

Filesize
4.7MB

Download
memory/6920-433-0x0000000000F80000-0x000000000142D000-memory.dmp

Filesize
4.7MB

Download
memory/6920-711-0x0000000000F80000-0x000000000142D000-memory.dmp

Filesize
4.7MB

Download
memory/6920-1208-0x0000000000F80000-0x000000000142D000-memory.dmp

Filesize
4.7MB

Download
memory/6920-1059-0x0000000000F80000-0x000000000142D000-memory.dmp

Filesize
4.7MB

Download
memory/6960-655-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/6960-658-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/6960-656-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/6960-659-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/6960-679-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/7048-694-0x00000000008B0000-0x0000000000916000-memory.dmp

Filesize
408KB

Download
memory/7048-725-0x0000000009730000-0x00000000097A6000-memory.dmp

Filesize
472KB

Download
memory/7048-724-0x00000000087F0000-0x0000000008856000-memory.dmp

Filesize
408KB

Download
memory/7048-716-0x0000000008550000-0x000000000859C000-memory.dmp

Filesize
304KB

Download
memory/7048-726-0x00000000096D0000-0x00000000096EE000-memory.dmp

Filesize
120KB

Download
memory/7048-715-0x00000000083F0000-0x000000000842C000-memory.dmp

Filesize
240KB

Download
memory/7048-714-0x0000000008390000-0x00000000083A2000-memory.dmp

Filesize
72KB

Download
memory/7048-695-0x0000000005780000-0x0000000005D26000-memory.dmp

Filesize
5.6MB

Download
memory/7048-713-0x0000000008440000-0x000000000854A000-memory.dmp

Filesize
1.0MB

Download
memory/7100-1227-0x00007FF615EA0000-0x00007FF616978000-memory.dmp

Filesize
10.8MB

Download
memory/7100-1209-0x00007FF615EA0000-0x00007FF616978000-memory.dmp

Filesize
10.8MB

Download