amadey | a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
Size

1.8MB
MD5

4a4542c4dabe2c5c3f0592b16ab8c802
SHA1

473577e88a063035c01d7f69a97dac18cbf8a835
SHA256

a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6
SHA512

088b8cbf4e1d5de0630ac2f44ad48b10bc5ccbbcdb61613fb72c513443eacffd2b074b5029d248bee029808133fa36e40b3c99ea31d97e43c174c91cfd99bec6
SSDEEP

49152:hUjeQmlGGtJs5tVO/poKqPfCnUbpWq5Xi/Hyzq:h9QmBYtEhoKNnUbksX0yzq

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

20.52.165.210:39030

Extracted

Family

stealc

Botnet

QLL2

http://85.28.47.70

Attributes

url_path
/744f169d372be841.php

Extracted

Family

redline

Botnet

25072023

185.215.113.67:40960

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Monster Stealer. 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000023be5-3044.dat	family_monster
behavioral1/memory/6944-3215-0x00007FF7E5840000-0x00007FF7E6A7E000-memory.dmp	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/6016-3164-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/files/0x0008000000023c18-3356.dat	family_redline
behavioral1/memory/1852-3368-0x0000000000800000-0x0000000000852000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	90bebffc8f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1580	netsh.exe
5868	netsh.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	90bebffc8f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	90bebffc8f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	explorti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	f1f5d3d247.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	90bebffc8f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1504	cmd.exe
4376	powershell.exe

Executes dropped EXE 19 IoCs

pid	Process
3172	explorti.exe
2072	f1f5d3d247.exe
7100	explorti.exe
6352	7024ce736b.exe
6760	90bebffc8f.exe
5432	axplong.exe
5688	axplong.exe
5272	explorti.exe
3408	build.exe
6944	stub.exe
3696	GOLD.exe
7076	343dsxs.exe
4020	crypteda.exe
3060	ZqZR2b3t3C.exe
7016	xHKtFZFsi4.exe
1184	2.exe
1852	25072023.exe
5832	axplong.exe
5648	explorti.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	90bebffc8f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Wine	explorti.exe

Loads dropped DLL 35 IoCs

pid	Process
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6944	stub.exe
6208	RegAsm.exe
6208	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1f5d3d247.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\f1f5d3d247.exe"	explorti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7024ce736b.exe = "C:\\Users\\Admin\\1000029002\\7024ce736b.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
254	raw.githubusercontent.com
255	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
252	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2636	ARP.EXE
6876	cmd.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
7084	tasklist.exe
3188	tasklist.exe
5368	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3600	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
4340	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
3172	explorti.exe
7100	explorti.exe
6352	7024ce736b.exe
6760	90bebffc8f.exe
5432	axplong.exe
5688	axplong.exe
5272	explorti.exe
5648	explorti.exe
5832	axplong.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3696 set thread context of 6016	3696	GOLD.exe	190
PID 7076 set thread context of 6208	7076	343dsxs.exe	214
PID 4020 set thread context of 2764	4020	crypteda.exe	220

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
File created	C:\Windows\Tasks\axplong.job	90bebffc8f.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6332	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0007000000023c09-3062.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5596	6352	WerFault.exe	133
6548	1184	WerFault.exe	229

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1f5d3d247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25072023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7024ce736b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	343dsxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xHKtFZFsi4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90bebffc8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZqZR2b3t3C.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2268	cmd.exe
5624	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1564	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5860	WMIC.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5076	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1148	ipconfig.exe
1564	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2748	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
6972	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4340	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
4340	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
3172	explorti.exe
3172	explorti.exe
4260	msedge.exe
4260	msedge.exe
1056	msedge.exe
1056	msedge.exe
444	chrome.exe
444	chrome.exe
7100	explorti.exe
7100	explorti.exe
6760	90bebffc8f.exe
6760	90bebffc8f.exe
5432	axplong.exe
5432	axplong.exe
5688	axplong.exe
5688	axplong.exe
5272	explorti.exe
5272	explorti.exe
4376	powershell.exe
4376	powershell.exe
4376	powershell.exe
6208	RegAsm.exe
6208	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe
6016	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1056	msedge.exe
1056	msedge.exe
444	chrome.exe
444	chrome.exe
1056	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe
Token: SeShutdownPrivilege	444	chrome.exe
Token: SeCreatePagefilePrivilege	444	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
444	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4556	firefox.exe
6352	7024ce736b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 3172	4340	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe	87
PID 4340 wrote to memory of 3172	4340	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe	87
PID 4340 wrote to memory of 3172	4340	a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe	87
PID 3172 wrote to memory of 2072	3172	explorti.exe	88
PID 3172 wrote to memory of 2072	3172	explorti.exe	88
PID 3172 wrote to memory of 2072	3172	explorti.exe	88
PID 2072 wrote to memory of 3212	2072	f1f5d3d247.exe	89
PID 2072 wrote to memory of 3212	2072	f1f5d3d247.exe	89
PID 3212 wrote to memory of 444	3212	cmd.exe	92
PID 3212 wrote to memory of 444	3212	cmd.exe	92
PID 3212 wrote to memory of 1056	3212	cmd.exe	93
PID 3212 wrote to memory of 1056	3212	cmd.exe	93
PID 3212 wrote to memory of 2828	3212	cmd.exe	94
PID 3212 wrote to memory of 2828	3212	cmd.exe	94
PID 444 wrote to memory of 3440	444	chrome.exe	95
PID 444 wrote to memory of 3440	444	chrome.exe	95
PID 1056 wrote to memory of 3588	1056	msedge.exe	96
PID 1056 wrote to memory of 3588	1056	msedge.exe	96
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 2828 wrote to memory of 4556	2828	firefox.exe	97
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98
PID 4556 wrote to memory of 5044	4556	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1824	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe
"C:\Users\Admin\AppData\Local\Temp\a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\1000020001\f1f5d3d247.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\f1f5d3d247.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8AEA.tmp\8AEB.tmp\8AEC.bat C:\Users\Admin\AppData\Local\Temp\1000020001\f1f5d3d247.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc2682cc40,0x7ffc2682cc4c,0x7ffc2682cc58
        6⤵
        
        PID:3440
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,15955576108225751133,5885783626814878164,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1904 /prefetch:2
        6⤵
        
        PID:2928
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,15955576108225751133,5885783626814878164,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2176 /prefetch:3
        6⤵
        
        PID:3012
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,15955576108225751133,5885783626814878164,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2572 /prefetch:8
        6⤵
        
        PID:2756
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,15955576108225751133,5885783626814878164,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3152 /prefetch:1
        6⤵
        
        PID:5488
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,15955576108225751133,5885783626814878164,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3284 /prefetch:1
        6⤵
        
        PID:6240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc266e46f8,0x7ffc266e4708,0x7ffc266e4718
        6⤵
        
        PID:3588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,13274437552885524050,5783745729695116906,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
        6⤵
        
        PID:628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2272,13274437552885524050,5783745729695116906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2272,13274437552885524050,5783745729695116906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
        6⤵
        
        PID:5100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,13274437552885524050,5783745729695116906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        6⤵
        
        PID:3564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,13274437552885524050,5783745729695116906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
        6⤵
        
        PID:3608
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,13274437552885524050,5783745729695116906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
        6⤵
        
        PID:5928
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 1832 -prefMapHandle 1824 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d1bc72f-9db7-4935-b13d-eff5194a1f64} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" gpu
        7⤵
        
        PID:5044
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2332 -prefMapHandle 1888 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2feb068f-33ec-45fc-b553-e8422ea8c04a} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" socket
        7⤵
        
        PID:2336
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2900 -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 2888 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed18c3b5-ed0b-4be4-bcae-dbaae1ebd0ff} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" tab
        7⤵
        
        PID:5260
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -childID 2 -isForBrowser -prefsHandle 3788 -prefMapHandle 3172 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b883fe7-31cb-4e14-8af3-7c849ac32a5f} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" tab
        7⤵
        
        PID:5552
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1560 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4248 -prefMapHandle 4224 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c52a3b29-2b66-499c-8d76-3670f58ffe41} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" utility
        7⤵
        Checks processor information in registry
        
        PID:6184
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 3 -isForBrowser -prefsHandle 5320 -prefMapHandle 5316 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9e4598f-7f2b-446d-94fb-31ec50267e0c} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" tab
        7⤵
        
        PID:6176
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5536 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a32c6be-e116-4a97-adf6-a26b9bc84929} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" tab
        7⤵
        
        PID:5400
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5448 -prefMapHandle 5640 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc847b2d-a351-43c6-9cc8-f2e37a188db2} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" tab
        7⤵
        
        PID:5640
- - C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
    "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
    3⤵
    PID:1708
- - C:\Users\Admin\1000029002\7024ce736b.exe
    "C:\Users\Admin\1000029002\7024ce736b.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 1328
      4⤵
      Program crash
      PID:5596
- - C:\Users\Admin\AppData\Local\Temp\1000030001\90bebffc8f.exe
    "C:\Users\Admin\AppData\Local\Temp\1000030001\90bebffc8f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6760
  - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5432
    - - C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"
        5⤵
        Executes dropped EXE
        
        PID:3408
      - C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:1476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:4476
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:6820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:5484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:5368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        7⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:3600
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        8⤵
        Views/modifies file attributes
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        7⤵
        
        PID:3096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        7⤵
        
        PID:5008
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:6972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:3484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:7084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        7⤵
        Clipboard Data
        
        PID:1504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        8⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:4376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        7⤵
        
        PID:6768
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:6840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        7⤵
        
        PID:3692
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:6900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2268
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        7⤵
        Network Service Discovery
        
        PID:6876
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:2748
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        8⤵
        
        PID:1240
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        8⤵
        Collects information from the system
        
        PID:5860
        
        C:\Windows\system32\net.exe
        
        net user
        8⤵
        
        PID:772
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        9⤵
        
        PID:1576
        
        C:\Windows\system32\query.exe
        
        query user
        8⤵
        
        PID:3096
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        9⤵
        
        PID:4636
        
        C:\Windows\system32\net.exe
        
        net localgroup
        8⤵
        
        PID:4256
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        9⤵
        
        PID:1096
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        8⤵
        
        PID:1284
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        9⤵
        
        PID:1916
        
        C:\Windows\system32\net.exe
        
        net user guest
        8⤵
        
        PID:3632
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        9⤵
        
        PID:2784
        
        C:\Windows\system32\net.exe
        
        net user administrator
        8⤵
        
        PID:1276
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        9⤵
        
        PID:2416
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        8⤵
        
        PID:4368
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        8⤵
        Enumerates processes with tasklist
        
        PID:3188
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:1148
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        8⤵
        
        PID:1164
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        8⤵
        Network Service Discovery
        
        PID:2636
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        8⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1564
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        8⤵
        Launches sc.exe
        
        PID:6332
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1580
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:6480
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:1452
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:6900
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3696
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:6016
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\343dsxs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\343dsxs.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:7076
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5948
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:6208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5076
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4020
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\ZqZR2b3t3C.exe
        
        "C:\Users\Admin\AppData\Roaming\ZqZR2b3t3C.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\xHKtFZFsi4.exe
        
        "C:\Users\Admin\AppData\Roaming\xHKtFZFsi4.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7016
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:1184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 276
        6⤵
        Program crash
        
        PID:6548
    - - C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5332

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:6348

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6352 -ip 6352
1⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5688

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1184 -ip 1184
1⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5832

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HCFCFHJD

Filesize
114KB

MD5
a2bc4eb3c67f34d75effa9bde49c2ffb

SHA1
f38bf9e1468d1dd11a5d197c8befcbf9302e4e57

SHA256
a2afda6ed0239af2873e61cffb2817572f9f5ce278b509d6c9c9e5f368a178e5

SHA512
30fd383d5b385ffb7f6551ea64636189bfa090a9097e8373574c6dcf3c9e7bbc8c08035057a5565fd139dc505e1ca40cd83df477c2ee67a605d0a2cf8481dffe

Download Submit
C:\ProgramData\IECFBKFH

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\1000029002\7024ce736b.exe

Filesize
2.5MB

MD5
1d36135b5c0b59b965aa1ff8f8874a4e

SHA1
c699ce3e004181308e099dbb93fb3b84999bfc2c

SHA256
e26d7dabcf5095750d11407a9341af6c898034b75f9fff158cc4c4757ec9f51a

SHA512
d821fffb943189f13117338feb9fb535cf1378566a7f28bd6a5570d33839f91ae04b8eaa0ab7d3cfe35b57a71b5ad2938302e175579b7d38aeec8bdd2fbf44a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
872b288e6d488335b901e000e0425211

SHA1
697b160b654a9e9423287e087dd8e198b681afa9

SHA256
c5a73c3c8c42030e5ef92f401b703c962c8a86c76082dfc28bcb18609115954b

SHA512
ae595f003152dd22df06bd77a532922d6ea6fe83baed8afac8ed71133b99cf2daffb023292fd142398087b31ccb6dd22a4fe4e4f676cf5dffe5ce44005766947

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b266aee75840a4c1495ae38200482c55

SHA1
cacc4a8740faf42b285a62e9d6ef699846923ab3

SHA256
2f7b874f3d32f0c8df6e92d98e4123503955baffbe05648937a1a873db161099

SHA512
068315ef77adf2fe5beee98a62d242d2804cc5bee0490bc6e0f8e5ed2657a9584573c824e01f241b05b450305be754e91505165d2fd4582e4997260e64c6d31f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
405bf0aab1c6be58ce0d9f893d836ec3

SHA1
8211c1c3d2bde1c8b898b36d6a67454eb3c46b7a

SHA256
79240dbfb0ea106db25d4ed1aa1a3e0a0f6526b3bb57b8fac4eefd85e697aaf1

SHA512
ad71a1883d4fea090e20ee981321eeb0c91c71ec6dda694b527327d34a1a3fe641fc700936312a5825f8a8356ea30bc2d0583f60a95d75e4d73682ce3a5f0dd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
454c5dfcb2326655b60bbeb99feeb6ca

SHA1
2502f9fbd38bdac0015610b15d28f4d7371d1c1b

SHA256
befda30f74be7446c42f4b0c8c7e668749a6078aee6ba7b11144e8ae3782b065

SHA512
b186259283300db2f0f2eeabe105afc5c602aaaa8eead0fc542129b62c58dfc17a745cbfe0f7154751cb6cf7d428c3b6984626c08ac9b6b30b9db96452802623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
50c1a14ebeabff1be77a02012350bbf6

SHA1
a19eef15ff631c5167b1b229e94492bb31a8f0d2

SHA256
7aee7bc6bf307c4cea64f60b57c2d4336969b22db1066787c69a2a3a0c302553

SHA512
528771c67a0f2945926489f3490b4230f959499ba0d6906e5653b74abd72dea4d49ecda2e09ce0200153283da97e128170d29e6db4fcea8898146c590293273e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
26140380f0c86f076577b90058d96fd9

SHA1
cf8e1a7cc6d01d30965b45ac6490c89f0f2992cb

SHA256
cf598b9d0afab16c11f861633af40eb3a384d976c2fe661a1c4e74718c28a311

SHA512
cb13a806199a19a5fc0a925ae58c9ceb547c01858991fa1da31d2c1acbce688be502ce74a95d1771b915b320ff0496e9e7097e850d92973e164bee93dbd24608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c1a89256c73e29c39b403cf384bd0031

SHA1
9d4663cc21534507900542d80405df9d2c2f3f9f

SHA256
81157a1189b390c47c8afa446c36b7cac94bd5bcc350a880ba0aa7084c918207

SHA512
0ae98d2691919c8c2bebea220b0eb4732f2f3b6c066f0f2c5bf2fdda44476fb118db10c50ecddf6eed244b12090299b67ac62635362c765df16a3279316bfdad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
066f3df648dbb6aa1e2b194b7be926c0

SHA1
538c41750e2f31faf861c3d079c213783106daf0

SHA256
8f85d08b9125a95a4d7319f9654f923e913911ed4de077a9cd61e1b9e93f68bb

SHA512
4c4de41a04c15e8bea69212fdc2ec3e919c30c53ae6cdfd7333767fffa9352962bf77ac36e4ad3d6af217bdfe56dd43c35ce3f0c28c5eae8f086c686e9793240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b043784888a6927e52cf5c20704f017b

SHA1
4181dff000b6fc189fa2f39c7d7f618bd3e18e15

SHA256
dfb0b047cb5273419d15c881d8a2aede095b35e8598ec51e57267c0c2ede64e8

SHA512
ba209fa0154219cefea116e0090144a20626873bc7afc9185a111e083a92602f9e392b8a957c9d226b268438ce9f189a29a6e68bfee0b3d9c1bc5507b278035f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
93KB

MD5
3c02a6df7330c26a57637366ec492057

SHA1
65c2134832481ae845ac15d4cc2ab3e55d9fc4b1

SHA256
da1b81c2ca3804b2f983856e154ff0398ae89024ba516e816c8c9465af5e7090

SHA512
b8577bdee60096a7295303a358636a3f03bdf700a7500b1c161fbf47b51b0cb1abb28e3c77edb2cfc63eda24e494a62ef8439de61c2c44ffd311c9049de3e0d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
93KB

MD5
5114645954e034b6bd8e06ec8fd2dbd5

SHA1
3d94476d32c9f054b2cad1d11df3344cba8cc318

SHA256
a7114290198d624dbe5fe3467aa0ee2755bf6e17ad821f727d7522f769f18f85

SHA512
965fab9edc2f93abcafff6066b350cbee2dfa24acfd7eb8b96f4b54de427cc15d3b5d81f12820e917242acff618cf929f9baa943d2ec04df04dce2b07961ade1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
38KB

MD5
a1cbc8600fb0e0b668df61bb5d1737f9

SHA1
65aaea9cf40ee7aafcf033f35980aac172b0a267

SHA256
b0324009cc7d496245d763710959284dbc9eb3c4aa93227cd6fa82772ff5a2bb

SHA512
c731cbc3fd2397fea0afdb98ad7e0a2624dfdd9da00da2032cbb425ff653291bd3e9290514d6aac2761923a055c0666b521a61524595c5ab1aa2b56ce18b2338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
67632ff35edb429db428357b85ea91b1

SHA1
dd40358a61c4efec855fce23aacf78f80a6c315b

SHA256
0665efaae80a2b2b40333b71698e3500bf70506db8e154c18b63e49eec82301a

SHA512
6db25e821bb5177c480f829ed91db71bf37296808ad19992b762e018aab46348eb26bdddafce6878964d82af5e4de79b20c9435b4921fa102f6525b7ccc15636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
82d90a7fdfeeb4de080dfaa7c0aad480

SHA1
5f8238f6b1d912dd43d678e82f490197793ff8c0

SHA256
b5fa5c5a5902141d3ccb3386d774d6e6e7e999100572a28816491b73d2b1f03d

SHA512
32ec1f34c5d58acad9d04ab539b359416befb0c2f212115f112a5873d24ead0b13232fc757802555d6fc7a5dcc5b402191f8823f9f6a83b428a09b457c4098f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83dea703c48fabfd38f65d10f8045fd5

SHA1
2ccc97bb005a47bad606ad9d807cdb27d1a5dbae

SHA256
7250fb580ee45fa4c00c0476061aed5b66f98c3b824e6631c4790c498f50db3d

SHA512
916cdfb2d5e0792dd2e6b95a28acd9c5b8537e8ff9fc9a10384523f0b613a57e8fadd99d8f6cd9a6a0903fc9b7bd58477ecab6f5a7c6125d1e64cb40d5599d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
530c9e7968d4c0de469ddfb6be3e8277

SHA1
bf5c98e03ac0099b41b97d7ecd6774d60a39dfa3

SHA256
6aedfcba8546b9247516738fa5c6c1e30880ed3e8b0d7abcd376f2ae4e482cc6

SHA512
fbddcc52773d96d6dac7fe2a7a5b245d9322d2b51bb0b97c4d56c4e0e39ce1e664a07aa5f26f47c514bd040a93cb9173bf79cb08dbd380ebef79ce3ff9894dfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d69087f948b8a181a56e156830f146f0

SHA1
2a092e17350f928dc8da8c4d78bb3f93d82aa686

SHA256
e1a803e91f281f13cccb1eb326876f75a3ffcac4aaa02b80d5169e5ae98fc33f

SHA512
cf36eda41977352cf66ce67f98da653e17a96c9e32bd0b0d8ab80765d3ef5bdb16b3987f6f32e703c78780473627a1f7a4228f28b64bb20ee5f971421d4bc8b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
68d9a10cec5c020c3a052457eca85750

SHA1
083ba363e8beabe3b22c651d7136b496e53dda9e

SHA256
24d784c0b622659f9053673a8bfcb5f743e9fb6649d25d809b51a576b5f6b826

SHA512
4320c95f7008556ae11d3492f12a6a37298e48caac7ee794d2e8eec9a1ac703ce523bfc1d97fbcdcb94dcdccc145c231caa4c3c5a085b1f21b69d1acfa9ce664

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Filesize
1.8MB

MD5
4a4542c4dabe2c5c3f0592b16ab8c802

SHA1
473577e88a063035c01d7f69a97dac18cbf8a835

SHA256
a0b4d2825199ad294bc567cf8557e3f1bf2353c606e8d048f88bf70434f053c6

SHA512
088b8cbf4e1d5de0630ac2f44ad48b10bc5ccbbcdb61613fb72c513443eacffd2b074b5029d248bee029808133fa36e40b3c99ea31d97e43c174c91cfd99bec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe

Filesize
10.7MB

MD5
c8cf26425a6ce325035e6da8dfb16c4e

SHA1
31c2b3a26c05b4bf8dea8718d1df13a0c2be22ee

SHA256
9f7be9bf913d8378f094b3f6416db9aa4c80c380000202f7cfaddadb6efc41b4

SHA512
0321e48e185c22165ac6429e08afac1ccfdf393249436c8eac8a6d64794b3b399740aa5b2be23d568f57495d17e9220280ed1c2ea8f012b2c4021beb02cbc646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe

Filesize
529KB

MD5
d3e3cfe96ef97f2f14c7f7245d8e2cae

SHA1
36a7efd386eb6e4eea7395cdeb21e4653050ec0c

SHA256
519ee8e7e8891d779ac3238b9cb815fa2188c89ec58ccf96d8c5f14d53d2494b

SHA512
ee87bcf065f44ad081e0fb2ed5201fefe1f5934c4bbfc1e755214b300aa87e90158df012eec33562dc514111c553887ec9fd7420bfcf7069074a71c9fb6c0620

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\343dsxs.exe

Filesize
413KB

MD5
7b0a50d5495209fa15500df08a56428f

SHA1
ab792139aaa0344213aa558e53fa056d5923b8f0

SHA256
d7f591f60eea358649cd97b73296b31a682e22fc5784df440026c3086de3d835

SHA512
c1fe0cb875124c9069f01fc3ef44d864ec82cfad49ee733edecd8b9b5e021594937362641aa33d865aa8a3ec376e46162c988906b0cb7bd0666e873988fe3661

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

Filesize
1.4MB

MD5
04e90b2cf273efb3f6895cfcef1e59ba

SHA1
79afcc39db33426ee8b97ad7bfb48f3f2e4c3449

SHA256
e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e

SHA512
72aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe

Filesize
138KB

MD5
826897ca5ccce947f4438b5fe40f474c

SHA1
fdd4b4d4becdf6c4b00e839fedfac2c9b28d38c5

SHA256
78429d3756f7492ab1edb60fe821386e1c52b13f6ca4fcbea44f8d2d7087370b

SHA512
617788d734bdf17b39e3aa25fee94c1545ee20bb247eccf8dd78cdb2ebd2abd6dab32f90c996d3f09d0c2f8bf69e91f5c541e1712e789bd740102c9dd28b4ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe

Filesize
304KB

MD5
a9a37926c6d3ab63e00b12760fae1e73

SHA1
944d6044e111bbad742d06852c3ed2945dc9e051

SHA256
27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b

SHA512
575485d1c53b1bf145c7385940423b16089cf9ab75404e2e9c7af42b594480470f0e28dadcddbd66e4cd469e45326a6eb4eb2362ccc37edb2a956d224e04cf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\f1f5d3d247.exe

Filesize
89KB

MD5
eb2ff4ef94be3e00317acf34a81d9291

SHA1
35c10e466486420e33fb087f252c46a1bd17df0d

SHA256
37c5976a95bb9bc873a5dd24c1e45a9fd6d63f41c3bc2ecc2b2b26647f7af375

SHA512
d1f489bbe5c53d52a4dc516b683d68cd4632b93320bf4d3e335ccd11fe9465f007511717fd917f60a96f4bc698fd229077e6cd6b508e2ef354e2d68b0a002064

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000030001\90bebffc8f.exe

Filesize
1.8MB

MD5
0e2499f8779fe21277588388513192df

SHA1
fff3b7417c3958ca7972016fef3fa4c3edae8277

SHA256
eb460b36e40c702acf84637b97bd3bac64ac85f560e8414da7ebf1dfb00c272e

SHA512
41929301f576feba9dda52cd60764c41620d86e61906292d41bce892c01b57fb4841d60c0b8e3f16d717978ec3283fd1b4f8737c873c143b99a9de26047abedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8AEA.tmp\8AEB.tmp\8AEC.bat

Filesize
2KB

MD5
de9423d9c334ba3dba7dc874aa7dbc28

SHA1
bf38b137b8d780b3d6d62aee03c9d3f73770d638

SHA256
a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

SHA512
63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
f918173fbdc6e75c93f64784f2c17050

SHA1
163ef51d4338b01c3bc03d6729f8e90ae39d8f04

SHA256
2c7a31dec06df4eec6b068a0b4b009c8f52ef34ace785c8b584408cb29ce28fd

SHA512
5405d5995e97805e68e91e1f191dc5e7910a7f2ba31619eb64aff54877cbd1b3fa08b7a24b411d095edb21877956976777409d3db58d29da32219bf578ce4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpF26A.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvcaan5q.b1u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\_asyncio.pyd

Filesize
62KB

MD5
6eb3c9fc8c216cea8981b12fd41fbdcd

SHA1
5f3787051f20514bb9e34f9d537d78c06e7a43e6

SHA256
3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010

SHA512
2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\_cffi_backend.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\_overlapped.pyd

Filesize
47KB

MD5
7e6bd435c918e7c34336c7434404eedf

SHA1
f3a749ad1d7513ec41066ab143f97fa4d07559e1

SHA256
0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4

SHA512
c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\stub.exe

Filesize
18.0MB

MD5
1cf17408048317fc82265ed6a1c7893d

SHA1
9bfec40d6eb339c5a6c2ad6e5fa7cebc147654c5

SHA256
1352ad9860a42137b096d9675a7b8d578fbc596d965de3cb352619cbe6aaf4e9

SHA512
66322d7cb5931017acaa29970da48642d03ce35007f130511b2848b67169c1dd4167f1e5a31e5e1dfe5f7122846482bdb878b5cd695ac58009033fd620813a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3408_133668043360961193\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1750093773-264148664-1320403265-1000\547b80bf7d325995f0658a2931bf5a90_46967d70-72aa-405b-b21a-7603bc5aaaad

Filesize
2KB

MD5
0158fe9cead91d1b027b795984737614

SHA1
b41a11f909a7bdf1115088790a5680ac4e23031b

SHA256
513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

SHA512
c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin

Filesize
8KB

MD5
451d3b7a9a310c59ff2ac146591c5a85

SHA1
f7dfc30a3dbaf6c93ed16276832fafe44d9a4b10

SHA256
791e4004e5546bba0eaf4f2356890bff1e36b012e1b4d407b000222b4900652f

SHA512
3367958f8de8c5d6a737fcef7b278ee076a0edf37fbe1cb30f96c6dc2eb0270dc6b58adfec5310e73f8929a12fa0b0954632c707aaa291d3b87c4d610a62a573

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4fa71c93554ba63e765d3e4a3c64358c

SHA1
dedb5fe4b13469f73d7d60c3e7c4b5e36502e0dc

SHA256
a6cd61a6feabdeff1d07166e85e6ded919696b237d0fbec7bce9f9e5590fe52e

SHA512
9f9242be97edc788720d88d1031f16a4eeaba9ef49087731c20f8841d68e0e0af41f493745126c028f8986447c5c70ae5c2d7743001663596c3bd4d74fdbfa55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
985c9b64e5a69d8ee2badee697d5bf16

SHA1
1a9b63ff699fbca10be76b16c556771670c7fbea

SHA256
9059682e4584ab6c402a0f6e1d6f30d4ea60a396389c50df4d564341d0d4f78e

SHA512
f50e73320ea326e8f387c152e635f5a09fe565eaaf210ffdcf50329c60ebb849507ddd9f0527fd6996ac5f5f9bb64639266a1577cfbe4ae2ced4c339aa8a4e26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\66497531-5613-4dd5-b1fe-030b4fdaa557

Filesize
26KB

MD5
12c76cd2eb893630649dca177f2362a1

SHA1
584c9df2ddf178e655d7c6cf31fa66c45e63ba46

SHA256
288d3e7c6ae24daeb2385fb19ee68142d03cb7069b3f48f4035dce8bc4ccb1c3

SHA512
741e69491f0298936c6a4df6763ddd8fb71491c20539e42d89c784186ebcbab5f9b763f9b1c25e59ccfbf11ec9633d95ea3ee1cb99dfdcfbc41cc30afc94ed61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\a0b32969-93b2-4656-8bd5-a60670e7cd18

Filesize
671B

MD5
028fc64cb13de1aee3a23526686b6dc8

SHA1
e7a9acda62d90565720b4d06d383665d9ee4b01b

SHA256
3b4f6c7034cde673f171823605f1b1fbecaced937b4b11d93780a20de0810485

SHA512
19413df9c392aadef3cb11e0e3b0c41df21619bcc2be89df3af9c08d3afbe543d19c8f8ba31456d290f72d549b4df21c8fc73f9e60a2e89f531dafe60cecf671

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\b7df0718-fbfd-4742-9114-ee40ba0198c3

Filesize
982B

MD5
acebe0f399ef6209a3a34be0d537bfc5

SHA1
81805b8ba538399ffb22e14b506716cfadc71057

SHA256
07545aaef63974e69e376bf4b00d66a42135ba74adda0d4a6b075bb25d3f1d07

SHA512
e815ebd961809fa5ca4d8aef3efcd29c559bfe84311a016d719bdacf1e16d00a68c08d43fb1242cb01608ef380e111adcca81d472448e30d4169a3c49d5a9bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs-1.js

Filesize
11KB

MD5
1010582ad63e70b1aa8d6c994ff1672c

SHA1
741638119c9ae14964cd363509a19d44c08ec53d

SHA256
adf8c7c75708070ff6112c73d8ccf92f21d26f52befc96f0495325c034cd3236

SHA512
f71bbe2942d1e50004f134f2a5f5c6b3005d88d9223dbe3f9d092bbf181bbc241a13ef6fc400513482209fbab2e9dbdd91c169dac4cb963c4a9b28c452d874bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs-1.js

Filesize
16KB

MD5
c9e336e31361fb34173fb13983ae0c65

SHA1
66305068933366277ec62d66f645dc09648c9668

SHA256
9434e1fe7236d3cad6cde367866fd56209dbfb1d5fa4c0890d1f43d20b32ae28

SHA512
b84ba1039c687598988cbe46de3de7066d85b57449080d295471fa9f27e37ad7580f7e3e9b44f81e66f47c88da3a4bbb68280e32375197bf28def603eb093cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs-1.js

Filesize
11KB

MD5
a8642991ba92d457a2588b89808d1f5b

SHA1
cafc55b4e50a5b3ec89242517e8af07dff2f0f1e

SHA256
25e4282c4acb15451a1667076bf23c08b02fe8b09d8f2aed5e7e30cac8c00150

SHA512
26ef326bb9f683123e0836b339a62dfdceda9154118c928ccb940495d733ecb8d7970d069f85cdd567576e6ddbc4b4d8e80a6b7fdf3d389ad2f94ace61dd0d73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs.js

Filesize
8KB

MD5
b74ee55f42ac5602aae8954b11217033

SHA1
9f168cf570b4e3a8840ee9b2fc9ebdf68272153c

SHA256
f6f849cf480e88439f9c227adf1d266021ce9374e03a62c7e49732657bc7b88d

SHA512
c7429f423de4e375aab1e71416b327e9f72ec57e4e8e531ac5dc76903a39bef6eff990a6b54312d59935ebef960dd9c6bb4a2cdb72c9bc4e8b5fc5722135fa62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.1MB

MD5
d304dd9ab3c91d8bbd03ac14369c81a7

SHA1
b6b3bee7ee96cd2271cd91d67bdccb910eb05668

SHA256
2b21c74c51c66ce5705301d6bf1d3f0aa723868d6fd44861c60e3e45f57d621d

SHA512
7316db91ff69a247004f506fee9467a4a2e06164f40aae6749a296b8fb1e747950692a18a825520b317d922a5684ae90f1c760e91cff8670f9ef9af3af01e20d

Download Submit
C:\Users\Admin\AppData\Roaming\ZqZR2b3t3C.exe

Filesize
510KB

MD5
74e358f24a40f37c8ffd7fa40d98683a

SHA1
7a330075e6ea3d871eaeefcecdeb1d2feb2fc202

SHA256
0928c96b35cd4cc5887fb205731aa91eb68886b816bcc5ec151aeee81ce4f9a6

SHA512
1525e07712c35111b56664e1589b1db37965995cc8e6d9b6f931fa38b0aa8e8347fc08b870d03573d10f0d597a2cd9db2598845c82b6c085f0df04f2a3b46eaf

Download Submit
C:\Users\Admin\AppData\Roaming\xHKtFZFsi4.exe

Filesize
503KB

MD5
2c2be38fb507206d36dddb3d03096518

SHA1
a16edb81610a080096376d998e5ddc3e4b54bbd6

SHA256
0c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e

SHA512
e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
f3d960cd7dea04af034c13eec217e3ae

SHA1
8f0c88db762109575b26b2570dcb2b687ef363c4

SHA256
55e0b4a6bdd98d54680b81abeb18a163f34ddef5dcc24e4e9fad3f61746bf297

SHA512
c707177c52e686352cff1b67d8e05edeaf2ef80b2b22f8c8eed33ca390db39a2e036b0aee10cefc385e0e1bcb5da9d0fdd45c5cd88d39e29cb2614ed4ad20e48

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
34634e2ecb3b5a44653ce2ac68b3cf51

SHA1
41c8200223c671deefe2e9b1867c01d9063e9cc2

SHA256
ac62681a5e44b2a39a5ddabd37688cfa4d178baa360ac525032970186e07fabf

SHA512
35c9074a16513ff46db89346f812cb616fdf620566b3da51e5edcc90e37ef790a268457b2b94b15adba1ac97b88b6aa300114e93f95cade7ccbeaf3be30cbd81

Download Submit
memory/1184-3390-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1852-3368-0x0000000000800000-0x0000000000852000-memory.dmp

Filesize
328KB

Download
memory/2764-3312-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2764-3313-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2764-3316-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2764-3315-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2764-3335-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3060-3336-0x00000000001E0000-0x0000000000266000-memory.dmp

Filesize
536KB

Download
memory/3172-587-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-21-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-3469-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-462-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-526-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-527-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-3440-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-18-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-2607-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-2992-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-843-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-3099-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-3303-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-19-0x0000000000971000-0x000000000099F000-memory.dmp

Filesize
184KB

Download
memory/3172-3416-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-2953-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-3387-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-2947-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-20-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3172-1694-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/3408-3219-0x00007FF6340D0000-0x00007FF634BA8000-memory.dmp

Filesize
10.8MB

Download
memory/4340-2-0x00000000008C1000-0x00000000008EF000-memory.dmp

Filesize
184KB

Download
memory/4340-1-0x0000000076FD4000-0x0000000076FD6000-memory.dmp

Filesize
8KB

Download
memory/4340-3-0x00000000008C0000-0x0000000000D7B000-memory.dmp

Filesize
4.7MB

Download
memory/4340-4-0x00000000008C0000-0x0000000000D7B000-memory.dmp

Filesize
4.7MB

Download
memory/4340-17-0x00000000008C0000-0x0000000000D7B000-memory.dmp

Filesize
4.7MB

Download
memory/4340-0-0x00000000008C0000-0x0000000000D7B000-memory.dmp

Filesize
4.7MB

Download
memory/4376-3141-0x00000171A0D80000-0x00000171A0DA2000-memory.dmp

Filesize
136KB

Download
memory/5272-2963-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/5272-2959-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/5432-3338-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5432-3150-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5432-3470-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5432-2956-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5432-2948-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5432-2642-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5432-3391-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5432-3441-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5432-2993-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5432-3417-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5648-3443-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/5648-3444-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/5688-2957-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5688-2961-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5832-3442-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/5832-3445-0x00000000003C0000-0x0000000000882000-memory.dmp

Filesize
4.8MB

Download
memory/6016-3307-0x00000000093C0000-0x0000000009582000-memory.dmp

Filesize
1.8MB

Download
memory/6016-3197-0x0000000007100000-0x000000000720A000-memory.dmp

Filesize
1.0MB

Download
memory/6016-3196-0x00000000074D0000-0x0000000007AE8000-memory.dmp

Filesize
6.1MB

Download
memory/6016-3184-0x0000000006470000-0x00000000064E6000-memory.dmp

Filesize
472KB

Download
memory/6016-3167-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/6016-3205-0x0000000007250000-0x000000000729C000-memory.dmp

Filesize
304KB

Download
memory/6016-3204-0x0000000007090000-0x00000000070CC000-memory.dmp

Filesize
240KB

Download
memory/6016-3166-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/6016-3165-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download
memory/6016-3277-0x0000000007330000-0x0000000007396000-memory.dmp

Filesize
408KB

Download
memory/6016-3164-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/6016-3308-0x0000000009AC0000-0x0000000009FEC000-memory.dmp

Filesize
5.2MB

Download
memory/6016-3283-0x0000000008FA0000-0x0000000008FF0000-memory.dmp

Filesize
320KB

Download
memory/6016-3185-0x0000000006B40000-0x0000000006B5E000-memory.dmp

Filesize
120KB

Download
memory/6016-3198-0x0000000007030000-0x0000000007042000-memory.dmp

Filesize
72KB

Download
memory/6208-3220-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/6208-3222-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/6208-3221-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/6352-2543-0x0000000000400000-0x00000000031E8000-memory.dmp

Filesize
45.9MB

Download
memory/6352-2187-0x0000000000400000-0x00000000031E8000-memory.dmp

Filesize
45.9MB

Download
memory/6760-2608-0x00000000000D0000-0x0000000000592000-memory.dmp

Filesize
4.8MB

Download
memory/6760-2644-0x00000000000D0000-0x0000000000592000-memory.dmp

Filesize
4.8MB

Download
memory/6944-3215-0x00007FF7E5840000-0x00007FF7E6A7E000-memory.dmp

Filesize
18.2MB

Download
memory/7016-3337-0x0000000000DE0000-0x0000000000E64000-memory.dmp

Filesize
528KB

Download
memory/7100-487-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download
memory/7100-485-0x0000000000970000-0x0000000000E2B000-memory.dmp

Filesize
4.7MB

Download