amadey | 7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
Size

1.8MB
MD5

62784b54dca4829a61e16d31b8e30f87
SHA1

2323b4b01ea18b4478ecb41309e24d64ad52746d
SHA256

7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd
SHA512

7e06144259680af23fabb3c225daaccaf930a7313ca3ccf9639addd119acf13a41b23c764be08259a1643077475d8edc51e08e46a699a75f61fc2ff07d2e56a3
SSDEEP

49152:tP1Dp0xtpy4XriZY20Tf7b7X34fYXmag9kUVVo:Z0vI4X2ZY20Tzb7XIf2GHo

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

20.52.165.210:39030

Extracted

Family

stealc

Botnet

QLL

http://85.28.47.70

Attributes

url_path
/744f169d372be841.php

Extracted

Family

redline

Botnet

25072023

185.215.113.67:40960

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Monster Stealer. 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023515-776.dat	family_monster
behavioral2/memory/6968-1007-0x00007FF70B120000-0x00007FF70C35E000-memory.dmp	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/5920-894-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/files/0x0006000000023243-1088.dat	family_redline
behavioral2/memory/5564-1100-0x0000000000D30000-0x0000000000D82000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6f0d436744.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5676	netsh.exe
4024	netsh.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6f0d436744.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6f0d436744.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	explorti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	2af0eda205.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	6f0d436744.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
6756	powershell.exe
6488	cmd.exe

Executes dropped EXE 20 IoCs

pid	Process
2376	explorti.exe
3300	2af0eda205.exe
4952	9787303e8c.exe
5872	6f0d436744.exe
5520	axplong.exe
1392	axplong.exe
2428	explorti.exe
6804	build.exe
6968	stub.exe
556	GOLD.exe
3196	4434.exe
6408	crypteda.exe
6792	In6ka9Qxay.exe
3924	MMmzwZcbK4.exe
848	2.exe
5564	25072023.exe
3372	explorti.exe
7060	axplong.exe
5136	pered.exe
7104	pered.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine	6f0d436744.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine	axplong.exe

Loads dropped DLL 55 IoCs

pid	Process
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6968	stub.exe
6304	RegAsm.exe
6304	RegAsm.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe
7104	pered.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2af0eda205.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\2af0eda205.exe"	explorti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9787303e8c.exe = "C:\\Users\\Admin\\1000029002\\9787303e8c.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
190	raw.githubusercontent.com
191	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
188	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
6828	cmd.exe
6016	ARP.EXE

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4476	tasklist.exe
1204	tasklist.exe
6604	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6156	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
2404	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
2376	explorti.exe
4952	9787303e8c.exe
5872	6f0d436744.exe
5520	axplong.exe
2428	explorti.exe
1392	axplong.exe
3372	explorti.exe
7060	axplong.exe
7104	pered.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 556 set thread context of 5920	556	GOLD.exe	161
PID 3196 set thread context of 6304	3196	4434.exe	167
PID 6408 set thread context of 6060	6408	crypteda.exe	201

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
File created	C:\Windows\Tasks\axplong.job	6f0d436744.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5460	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023524-1142.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023539-794.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5544	4952	WerFault.exe	116
5640	848	WerFault.exe	206

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	In6ka9Qxay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25072023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f0d436744.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4434.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2af0eda205.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9787303e8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MMmzwZcbK4.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6932	netsh.exe
6788	cmd.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5280	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2000	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5280	NETSTAT.EXE
5056	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
7016	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
6284	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
2404	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
2376	explorti.exe
2376	explorti.exe
1268	msedge.exe
1268	msedge.exe
3120	msedge.exe
3120	msedge.exe
2176	chrome.exe
2176	chrome.exe
5872	6f0d436744.exe
5872	6f0d436744.exe
5520	axplong.exe
5520	axplong.exe
2428	explorti.exe
1392	axplong.exe
2428	explorti.exe
1392	axplong.exe
6756	powershell.exe
6756	powershell.exe
6756	powershell.exe
6304	RegAsm.exe
6304	RegAsm.exe
6304	RegAsm.exe
6304	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
5920	RegAsm.exe
3372	explorti.exe
3372	explorti.exe
7060	axplong.exe
7060	axplong.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeDebugPrivilege	4192	firefox.exe
Token: SeDebugPrivilege	4192	firefox.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2404	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
4192	firefox.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4192	firefox.exe
4952	9787303e8c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2376	2404	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe	79
PID 2404 wrote to memory of 2376	2404	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe	79
PID 2404 wrote to memory of 2376	2404	7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe	79
PID 2376 wrote to memory of 3300	2376	explorti.exe	80
PID 2376 wrote to memory of 3300	2376	explorti.exe	80
PID 2376 wrote to memory of 3300	2376	explorti.exe	80
PID 3300 wrote to memory of 4188	3300	2af0eda205.exe	81
PID 3300 wrote to memory of 4188	3300	2af0eda205.exe	81
PID 4188 wrote to memory of 2176	4188	cmd.exe	84
PID 4188 wrote to memory of 2176	4188	cmd.exe	84
PID 4188 wrote to memory of 3120	4188	cmd.exe	85
PID 4188 wrote to memory of 3120	4188	cmd.exe	85
PID 4188 wrote to memory of 5036	4188	cmd.exe	86
PID 4188 wrote to memory of 5036	4188	cmd.exe	86
PID 2176 wrote to memory of 4876	2176	chrome.exe	87
PID 2176 wrote to memory of 4876	2176	chrome.exe	87
PID 3120 wrote to memory of 5104	3120	msedge.exe	88
PID 3120 wrote to memory of 5104	3120	msedge.exe	88
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 5036 wrote to memory of 4192	5036	firefox.exe	89
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90
PID 4192 wrote to memory of 5024	4192	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3908	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe
"C:\Users\Admin\AppData\Local\Temp\7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\1000020001\2af0eda205.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\2af0eda205.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AF2C.tmp\AF2D.tmp\AF2E.bat C:\Users\Admin\AppData\Local\Temp\1000020001\2af0eda205.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4188
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8c0cccc40,0x7ff8c0cccc4c,0x7ff8c0cccc58
        6⤵
        
        PID:4876
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,9319689624201551263,18007806403979348290,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1920 /prefetch:2
        6⤵
        
        PID:1264
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,9319689624201551263,18007806403979348290,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2200 /prefetch:3
        6⤵
        
        PID:3444
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,9319689624201551263,18007806403979348290,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2596 /prefetch:8
        6⤵
        
        PID:2700
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,9319689624201551263,18007806403979348290,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3124 /prefetch:1
        6⤵
        
        PID:6012
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,9319689624201551263,18007806403979348290,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3152 /prefetch:1
        6⤵
        
        PID:6024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8c0ac46f8,0x7ff8c0ac4708,0x7ff8c0ac4718
        6⤵
        
        PID:5104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6613301041460129243,413273769307657411,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        6⤵
        
        PID:1968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,6613301041460129243,413273769307657411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,6613301041460129243,413273769307657411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
        6⤵
        
        PID:4900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6613301041460129243,413273769307657411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        6⤵
        
        PID:3704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6613301041460129243,413273769307657411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        6⤵
        
        PID:4028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6613301041460129243,413273769307657411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
        6⤵
        
        PID:2476
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fcc192a-a991-4020-87ef-c08c83d88ec9} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" gpu
        7⤵
        
        PID:5024
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2b40cba-c320-44f8-bb7d-2c18d3a569a7} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" socket
        7⤵
        
        PID:4020
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 3220 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbd0634c-b406-4ad1-b6bc-2a4efbe338e9} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" tab
        7⤵
        
        PID:3004
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3308 -childID 2 -isForBrowser -prefsHandle 3892 -prefMapHandle 3888 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5ca0f45-fb14-4a5f-bc86-43e9240e6b0d} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" tab
        7⤵
        
        PID:4036
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4280 -prefMapHandle 4272 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38cb9af8-de19-469a-bbd6-892acf607696} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" utility
        7⤵
        Checks processor information in registry
        
        PID:5588
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4328 -childID 3 -isForBrowser -prefsHandle 4264 -prefMapHandle 5428 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e7287c2-9261-43d8-8207-71684ca2276f} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" tab
        7⤵
        
        PID:6080
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 4 -isForBrowser -prefsHandle 5716 -prefMapHandle 5712 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce1dc9d0-44f8-497a-99bb-18489a448984} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" tab
        7⤵
        
        PID:6112
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5900 -prefMapHandle 5896 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff832c64-e46b-426c-acec-12bfb4e8af5b} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" tab
        7⤵
        
        PID:6140
- - C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
    "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
    3⤵
    PID:5612
- - C:\Users\Admin\1000029002\9787303e8c.exe
    "C:\Users\Admin\1000029002\9787303e8c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1284
      4⤵
      Program crash
      PID:5544
- - C:\Users\Admin\AppData\Local\Temp\1000030001\6f0d436744.exe
    "C:\Users\Admin\AppData\Local\Temp\1000030001\6f0d436744.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5872
  - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5520
    - - C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"
        5⤵
        Executes dropped EXE
        
        PID:6804
      - C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:7160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:5880
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:5400
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        7⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:6156
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        8⤵
        Views/modifies file attributes
        
        PID:3908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        7⤵
        
        PID:5904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        7⤵
        
        PID:6168
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:6284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:6484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:6604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        7⤵
        Clipboard Data
        
        PID:6488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        8⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:6756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        7⤵
        
        PID:4632
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:6768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        7⤵
        
        PID:6508
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:3520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6788
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        7⤵
        Network Service Discovery
        
        PID:6828
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:7016
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        8⤵
        
        PID:1472
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        8⤵
        Collects information from the system
        
        PID:2000
        
        C:\Windows\system32\net.exe
        
        net user
        8⤵
        
        PID:4652
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        9⤵
        
        PID:4832
        
        C:\Windows\system32\query.exe
        
        query user
        8⤵
        
        PID:4932
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        9⤵
        
        PID:2312
        
        C:\Windows\system32\net.exe
        
        net localgroup
        8⤵
        
        PID:2236
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        9⤵
        
        PID:1352
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        8⤵
        
        PID:5256
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        9⤵
        
        PID:1416
        
        C:\Windows\system32\net.exe
        
        net user guest
        8⤵
        
        PID:4236
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        9⤵
        
        PID:1600
        
        C:\Windows\system32\net.exe
        
        net user administrator
        8⤵
        
        PID:3852
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        9⤵
        
        PID:1484
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        8⤵
        
        PID:5468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        8⤵
        Enumerates processes with tasklist
        
        PID:4476
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:5056
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        8⤵
        
        PID:2700
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        8⤵
        Network Service Discovery
        
        PID:6016
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        8⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5280
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        8⤵
        Launches sc.exe
        
        PID:5460
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4024
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:2280
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:6624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6508
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:6500
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:556
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:5920
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\4434.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\4434.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3196
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1064
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:60
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:6304
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6408
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6480
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Users\Admin\AppData\Roaming\In6ka9Qxay.exe
        
        "C:\Users\Admin\AppData\Roaming\In6ka9Qxay.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6792
        
        C:\Users\Admin\AppData\Roaming\MMmzwZcbK4.exe
        
        "C:\Users\Admin\AppData\Roaming\MMmzwZcbK4.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 356
        6⤵
        Program crash
        
        PID:5640
    - - C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5564
    - - C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"
        5⤵
        Executes dropped EXE
        
        PID:5136
      - C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:7104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1828

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4952 -ip 4952
1⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1392

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 848 -ip 848
1⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3372

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DHJDAFIE

Filesize
114KB

MD5
72d6dfd319e75b8e90d5137cfbac3c28

SHA1
5c62b77847077178635448e6b74c092d54e6fe3d

SHA256
cd6c4d558dc6ed8c01de08580dd2736cf0882edaaa34480e4f153545dcb5abd7

SHA512
fb48dc3a329a1f3929beb128f2617b486c4a1ef2b9a368eaf16a2defc1495aa949c29fa8c3b4ff446dcf5a074a83a69b3bc7664537f9eafef4b6858b7526189b

Download Submit
C:\ProgramData\IDGHDGID

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\JEHIJJKEGHJJKECBKECF

Filesize
12KB

MD5
804be75f718047b22a4667394fe37681

SHA1
8a189a339b6fe2455cad64d643ac50721c50f52a

SHA256
415dc7f44aa35568cb53b82fc79fbdf0b9cec4b0b16df2b6dffe88643ddedc5a

SHA512
4d4ce0a1dcc94198792dc84bfa030dea3b5ad3af5590b15d57615cb4214cc200304ab88d5c415973e32391f8764fe490624b1355bda6fb486ebfa297eb6c7e23

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\1000029002\9787303e8c.exe

Filesize
2.5MB

MD5
34fb1e1cf87cef65f1f37ee004d726d0

SHA1
f2b5efaec1e93dd6cd4bc3323b898379f70a9242

SHA256
5b356893c1912e17492d2d8b1f17edd8c8188466f6621b2153a22d533b9fd0b5

SHA512
6badaec3537de8eb3c9d1bf6ad9ca03aa184a4338960c8c32695f769568c925c06183eab28e752fbe0ec982c7e788a1fefb703d96d506525a17633590fe4843f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
208c0a91e1f9ac2e952eb7f641955672

SHA1
3baa3a272f6922cfbc6d512f19000ebb32eee6ea

SHA256
c787b49c06e441226f5f7650f3cf768299b77c5f18a25b5e5de1250ce60a7e7b

SHA512
852ff36b3f8015f744e8ddc1ad56913c1fb087d9cec79299733fccff8510946d2b8ac4ed23ab8885c38748c2ed2f861b9f366a9358229fc07b2637c6b8376c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
35a98a2966418170628f094b373ad67b

SHA1
bff3d5bdc66610d32c77b87719e5ebf00dbfd87d

SHA256
d2e2e0c607095ed4f9bbb479d9b9ee031428d8ed7469979bc8eab6b5235aa315

SHA512
972455334489ee4d3b0ce2310e767ea1597d1322446ba2624b4cd00c239319800e245ce722caf89efbc8cc14b057bf4e3ffa45ce89498039d70b123a5c1ee15e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
81e8a7eb5e32882caf715b0a31d0739e

SHA1
f981cf1b9fa0bf7982f375afcd6fa7cfcb0514ad

SHA256
76aded7352cfabe99711329827f94e6b9e31e3adf72be1136d1b60d14682ae49

SHA512
cdb9d3246fcfa0530110dedbf254198ccfd9d99650b75dcaa52cfaa61cc3000d0f0ba7eb1b7856a5a7f4738c7dd868cfc43572bc2b2560ca6ca9b56f9e7f8133

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
004ca3b0381f43e978e6334041715b5c

SHA1
1c82aeba1a159e91660d2ff4f05867163a1209f5

SHA256
0e5d61402a205049ba632133bf625c63c32f8539b362e1b56294b2b080639840

SHA512
5024eba70e9ae1a6a1a20dcd92132d2096b4fff13a55137c1fb1802037b0d9e06a6d9cd743884a4e372085302ec0a4d3c330902e9d783a470ca667b79288d109

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
60ab71f526a2402c6671ed9e1467e2b2

SHA1
a3d102782a6d2ded9616a4630456338da60245e9

SHA256
d6a46adf66b7a303c8548a9f39e8728af6167817d5839cc45e9302a2196f3ec3

SHA512
3349341830a7afdfc9be2e8ce0729bf53d817b43f29ccbb40f6a6742ac890969d7a1e6c129096d2e71d3c5d03cac8ea3512d66132e9e6ff9e4d39288bba23741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94c981336abc388ca817dab46e7fc547

SHA1
2d0f8d89a31adb0aad5c599a195ff40ecf4b161f

SHA256
4d44efbb5447fedc3cb21311290fe6a9d0e5a0e682387a1a341bd214df820ef2

SHA512
f1c9c98f6642ea3b90c8667a4871d5a3b8c05eb0c50d5dc31e32704e0eeca1d33add414df485aced130523d6be824c48e37d0022b4d58db60006efe3e337fdbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b55d2d2ff2a4d5d7eeaff5ebb96f3b4a

SHA1
12d94b9e84142b10d6347a2ff3b634a20f692c7a

SHA256
3d249eae36cfc3837b043e4b8df670724fee5657b302c77d488f1da3d835f776

SHA512
4dc2fe1eeaca5f9c91d548c70a44ffd12b806a385e22a3c5f724b6f749a15c9ccb3ac1a752c63225bd4d1d90f2b25d8004a15d3912ca6a3cb92fcba91248626f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
33KB

MD5
60b8b39a48e099a79b96aa1cc1e0cfc4

SHA1
fdf8cae154235a990f757624591ec05b3891ac26

SHA256
cb5000e7cd62ab7f1fe45f8eb4ce9c4187f7b211436fa7dfb3aa2fef44400854

SHA512
0976939732ffc39a891c13248508fb2473c402a0f83cd1abde02db00c71404ae442537f71b596e6ac64e91f16a9f15d49f3af583d60f87812dd0916468534b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
38KB

MD5
a1cbc8600fb0e0b668df61bb5d1737f9

SHA1
65aaea9cf40ee7aafcf033f35980aac172b0a267

SHA256
b0324009cc7d496245d763710959284dbc9eb3c4aa93227cd6fa82772ff5a2bb

SHA512
c731cbc3fd2397fea0afdb98ad7e0a2624dfdd9da00da2032cbb425ff653291bd3e9290514d6aac2761923a055c0666b521a61524595c5ab1aa2b56ce18b2338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
91910f73a9f2d573386743dfd2bdcb28

SHA1
e3789276a493d03836368b2ed505eb5891cd8049

SHA256
f39dc549f94c69279c9fc3114ccd445d1c45352a925b081cd2d67d46070dc928

SHA512
204af5cee40a41905828cbf35642191e5abf5135356bec21fd4f1bdc7d3352a83e2efacd73eeb8f8918f5bc044b7b2e029f976d52f8e0de6f2e39fc4a3e043c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
515589de90a31ae32b9b88ac9d1bd998

SHA1
ef1e34e98f7a0f11f6cf151a4f7c82c948095b9e

SHA256
44e23e4ed92b3cfbf214c38d1dc3c2b0848fd22a85419739f0f901427ec65759

SHA512
7f66ab4a57ee932f984e835eaae647ae4de782b5c9dd17d50f060de687a2524505afb14018154b63d4f3646c54caf98e19240655e51546487068afa347228a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e5b5fefdc600d15aca55adfdccaa7795

SHA1
88274210232c751ab6f7bd667d2f9acd0d81f721

SHA256
0a8cfd9c0b4e6c5be38b08ef8dc37f3b3358d2d185021dd20aa9ec7c6984d54f

SHA512
5d70cc0043815169daa61a8ae4e8f1555007de6029e493be4cb3e837b9aaf80a54e90f840b69ec2a7d75aac11757919ce233803acf34ed3bc99c5c0a99b20a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b16b44c9f39afd6429f6e86dfd7a929c

SHA1
1e821bcaafa03ade28a65f78c13e4a24e573fac5

SHA256
ce700daac77dd8d041fce9774d8434dbc06dde0df57ed18c239a48af8bde3c18

SHA512
c05ce24fcea2955e2982889c96574eb7207172a2ead97569f402c069f44e5f8f223402450405a38172ed27ce4ef42d03aed3223556e5b6091452bc3c091bd82c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\23yzs2h6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
0875328617fed79e8f773aecad76a19a

SHA1
e10000b80513fdee50eb831ca8afa5495a91ba0c

SHA256
6a619c4476187a46c7a844a975019281c6f36b1157143ec9671d9c3d1d603d80

SHA512
6f499573a70ebf4403e9a4681287e1d5c2a43a8500cc8819fc8613a334ced90c9b18cce26ab1193775fed1d71b60495968c87fa12a70170d1e3feed059d1157d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Filesize
1.8MB

MD5
62784b54dca4829a61e16d31b8e30f87

SHA1
2323b4b01ea18b4478ecb41309e24d64ad52746d

SHA256
7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd

SHA512
7e06144259680af23fabb3c225daaccaf930a7313ca3ccf9639addd119acf13a41b23c764be08259a1643077475d8edc51e08e46a699a75f61fc2ff07d2e56a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe

Filesize
10.7MB

MD5
c8cf26425a6ce325035e6da8dfb16c4e

SHA1
31c2b3a26c05b4bf8dea8718d1df13a0c2be22ee

SHA256
9f7be9bf913d8378f094b3f6416db9aa4c80c380000202f7cfaddadb6efc41b4

SHA512
0321e48e185c22165ac6429e08afac1ccfdf393249436c8eac8a6d64794b3b399740aa5b2be23d568f57495d17e9220280ed1c2ea8f012b2c4021beb02cbc646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe

Filesize
529KB

MD5
d3e3cfe96ef97f2f14c7f7245d8e2cae

SHA1
36a7efd386eb6e4eea7395cdeb21e4653050ec0c

SHA256
519ee8e7e8891d779ac3238b9cb815fa2188c89ec58ccf96d8c5f14d53d2494b

SHA512
ee87bcf065f44ad081e0fb2ed5201fefe1f5934c4bbfc1e755214b300aa87e90158df012eec33562dc514111c553887ec9fd7420bfcf7069074a71c9fb6c0620

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\4434.exe

Filesize
413KB

MD5
607c413d4698582cc147d0f0d8ce5ef1

SHA1
c422ff50804e4d4e55d372b266b2b9aa02d3cfdd

SHA256
46a8a9d9c639503a3c8c9654c18917a9cedbed9c93babd14ef14c1e25282c0d5

SHA512
d139f1b76b2fbc68447b03a5ca21065c21786245c8f94137c039d48c74996c10c46ca0bdd7a65cd9ccdc265b5c4ca952be9c2876ced2928c65924ef709678876

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

Filesize
1.4MB

MD5
04e90b2cf273efb3f6895cfcef1e59ba

SHA1
79afcc39db33426ee8b97ad7bfb48f3f2e4c3449

SHA256
e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e

SHA512
72aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe

Filesize
139KB

MD5
f0f07372cd95228359e18903e77c2d22

SHA1
fa4dd584f5d65d5fa794916d78d61b71c2686f91

SHA256
83b7e36b7c0deb90be28c234398b630deedd16a0e9deb9f46e3c72c665ca5066

SHA512
b1214cb8d7dd129b7cb01fad21c3aa1d8dbaef6d99a302e988ed3cfcc6045e50f92caf1c16500c425ba0899d017cac77a31dc0c9db2ae6ba648ee29fbb5f2f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe

Filesize
304KB

MD5
a9a37926c6d3ab63e00b12760fae1e73

SHA1
944d6044e111bbad742d06852c3ed2945dc9e051

SHA256
27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b

SHA512
575485d1c53b1bf145c7385940423b16089cf9ab75404e2e9c7af42b594480470f0e28dadcddbd66e4cd469e45326a6eb4eb2362ccc37edb2a956d224e04cf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe

Filesize
10.9MB

MD5
faf1270013c6935ae2edaf8e2c2b2c08

SHA1
d9a44759cd449608589b8f127619d422ccb40afa

SHA256
1011889e66c56fd137bf85b832c4afc1fd054222b2fcbaae6608836d27e8f840

SHA512
4a9ca18f796d4876effc5692cfeb7ce6d1cffdd2541b68753f416d2b0a7eff87588bc05793145a2882fc62a48512a862fa42826761022fed1696c20864c89098

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\2af0eda205.exe

Filesize
89KB

MD5
fbf64bae499d1d396c91a66ecbd21e7f

SHA1
cb7318bd792d464ba09399e5b16f8a459d2434f5

SHA256
d308a6720ce59a347a4b15e8ca89f587f812f095f46fda510ee932accce5785a

SHA512
be06ec59a70ae4a2ed50cf9373b25497bf7104330502ee6093a7407fb21003ff534e1ed9e7b36e9a01f646e4a1a64f350b9793050d3a6894b1dc589b6e7e3534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000030001\6f0d436744.exe

Filesize
1.8MB

MD5
5c9f2f3ea2b203cd5da994d690608152

SHA1
30dc948c672153348e590db908fbbea6381fa115

SHA256
f5f9309a533440a54cb426169b9b6f8de45803862711394dca8505dd4b7a74a5

SHA512
76cda460561b7325fe313b1b430a5c538bfcee1c3d767aeef2b4b393b168d4aea053b445ce9c1df10af79ce880fd8d492c2de52877896123a313f44f44889429

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF2C.tmp\AF2D.tmp\AF2E.bat

Filesize
2KB

MD5
de9423d9c334ba3dba7dc874aa7dbc28

SHA1
bf38b137b8d780b3d6d62aee03c9d3f73770d638

SHA256
a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

SHA512
63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

Filesize
62KB

MD5
6eb3c9fc8c216cea8981b12fd41fbdcd

SHA1
5f3787051f20514bb9e34f9d537d78c06e7a43e6

SHA256
3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010

SHA512
2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
f918173fbdc6e75c93f64784f2c17050

SHA1
163ef51d4338b01c3bc03d6729f8e90ae39d8f04

SHA256
2c7a31dec06df4eec6b068a0b4b009c8f52ef34ace785c8b584408cb29ce28fd

SHA512
5405d5995e97805e68e91e1f191dc5e7910a7f2ba31619eb64aff54877cbd1b3fa08b7a24b411d095edb21877956976777409d3db58d29da32219bf578ce4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\multidict\_multidict.pyd

Filesize
45KB

MD5
ddd4c0ae1e0d166c22449e9dcdca20d7

SHA1
ff0e3d889b4e8bc43b0f13aa1154776b0df95700

SHA256
74ec52418c5d38a63add94228c6f68cf49519666ae8bcb7ac199f7d539d8612c

SHA512
c8464a77ba8b504ba9c7873f76499174095393c42dc85a9c1be2875c3661cda928851e37013e4ac95ba539eed984bf71c0fcc2cb599f3f0c4c1588d4a692bdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp54A3.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0pqxnca0.qpn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\_cffi_backend.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\_overlapped.pyd

Filesize
47KB

MD5
7e6bd435c918e7c34336c7434404eedf

SHA1
f3a749ad1d7513ec41066ab143f97fa4d07559e1

SHA256
0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4

SHA512
c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\stub.exe

Filesize
18.0MB

MD5
1cf17408048317fc82265ed6a1c7893d

SHA1
9bfec40d6eb339c5a6c2ad6e5fa7cebc147654c5

SHA256
1352ad9860a42137b096d9675a7b8d578fbc596d965de3cb352619cbe6aaf4e9

SHA512
66322d7cb5931017acaa29970da48642d03ce35007f130511b2848b67169c1dd4167f1e5a31e5e1dfe5f7122846482bdb878b5cd695ac58009033fd620813a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6804_133668353489151446\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\In6ka9Qxay.exe

Filesize
510KB

MD5
74e358f24a40f37c8ffd7fa40d98683a

SHA1
7a330075e6ea3d871eaeefcecdeb1d2feb2fc202

SHA256
0928c96b35cd4cc5887fb205731aa91eb68886b816bcc5ec151aeee81ce4f9a6

SHA512
1525e07712c35111b56664e1589b1db37965995cc8e6d9b6f931fa38b0aa8e8347fc08b870d03573d10f0d597a2cd9db2598845c82b6c085f0df04f2a3b46eaf

Download Submit
C:\Users\Admin\AppData\Roaming\MMmzwZcbK4.exe

Filesize
503KB

MD5
2c2be38fb507206d36dddb3d03096518

SHA1
a16edb81610a080096376d998e5ddc3e4b54bbd6

SHA256
0c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e

SHA512
e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\AlternateServices.bin

Filesize
12KB

MD5
45361734bd27f3f7c0b4d6f165c9153a

SHA1
0c30da0f8fef8f53a645aaffa605f969ebfa63d3

SHA256
fe5c42be7d223c4f6867ae56d42d05fa1ff4c9e2745c9b45a2aa8e936c8f275c

SHA512
993741934e6ba385dd18ec35a676ee2b2e0ef6212a31397e3fa518a5bd6ab0d78ae4d0a9d19ffe64dd90e5ceb7c47b665124076b94df24e06dd8b136dac94004

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
c7a54a3bff96b88c0eb3773832ca608e

SHA1
f14a1a87d112f8b654f18b0b8d2dbc56f32c0b4c

SHA256
7c82d04d74cd7c1fd58ca8aa74a8788a4d718ac2a716d2a57382a98af79fd5c2

SHA512
4600f97ea44b2a5d862e8c608794865a5c7e89647949b2a511e90f88586e69b9263fcf97d7eb2720bc65538427ac4e9d00873b0a8e3fd304046ce6b71ce7d3ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
02f351a17d92be4b078a33cbd00535de

SHA1
84238db2029be7a6776fec4dc7239cca96f1fc5a

SHA256
1d6857714e5be92972b0864956f20516462b5ea05c60771c54816f2c83eda274

SHA512
b598db24a45d95924dfbeaaaa8c16792e2c1fc88def05ee3ec1fce26be379f0882d6bba888fa90d463502d9450aa1bec93032da1500f9b0e0647a4a756acd507

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
32f1a9d303cdbce404e401d38bdf34d4

SHA1
fb5a3ac09c72c0cefeb400feb2e157dba849097d

SHA256
e376a92bb2c29e7c3548069bdd86a4cf21364a4ec1ba960ee4f42387172f623c

SHA512
2aefa2cfe058006500b50ca1009ebfebc1eab8412160ccfa33065806454b10257e89abc214cee1a028795d7f06cfbff540b29d06e57a068a177d36db5ab6331a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\pending_pings\4b98922d-edc5-4fe1-8b4c-b8f55d61df3e

Filesize
982B

MD5
3e99f7d5c187b71a8a3b2eefe1d09d59

SHA1
113d048d05c7c9361e439b79ab9c04547e4d9eb5

SHA256
24b03283ccf68724b777e1a36878279f0dd9acd32fb25729ff7852d099d60270

SHA512
2e7eac8ce2d269e13237e6a751050ee671ba4db344e01f9ea3660595bf65f0ac59b08175ced94fdb5de87f06d219f6b5ffeeb1b92c8893ce142db725e1a374d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\pending_pings\ddc055c6-6b52-4e0e-a6f8-ca10ac3e2482

Filesize
659B

MD5
d04e53978c391790d583afd256683258

SHA1
c9112107e8dc68e0231aaa2112576c8db5398c7c

SHA256
1bfb41eba9abeafabe65b844b56ae17f9899e7ab60f67e964994dcf7ee819ee2

SHA512
08361984f0ce3c21229bdec9ba43e8c356b460443bbba956a6d5f230e27d51ab006d238a230445000aa188f092a4eb76a2d97283573dff0d1fca1fcbe722a930

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\prefs-1.js

Filesize
10KB

MD5
52934b142abb60d80f86c9c3eb5db50b

SHA1
7407e93a6ab0ca5bdbdc2107053b50fc92c8b5ed

SHA256
c3a5585411c38df4033a03d9d3912f6a16430fe7dc9d1f6e13707d827336ace9

SHA512
d1a16a8f4a9a4e077f0a74f175296b37844a99b1d88e4d78eb7206864eae4266cc8dfb786a7b8cdf848c967e447b5b479090a70a1fbdef83287e0cbda303d668

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\prefs-1.js

Filesize
11KB

MD5
1e1eea8fcd0c5f819154659f38a91956

SHA1
b75f9dd00833ad899686c8b35cae32fe1d04bfa3

SHA256
a0bdbeb4f9f383a8474925442a85c34414857f1448370d3583a190f6d2e5d491

SHA512
149d7e2ae1a1e35ab39f9d6e175a8337cd8ec112d7db95dae0c80e4f892f9fa3035706c721f16a9661b4380a0ec713f169f1d1e36ba9d678e4e13126c639b082

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\prefs.js

Filesize
10KB

MD5
1e24eda8b085051308d03ffbcb661d1d

SHA1
65fcc7fcbe5dfea355203c6d656cd93415f8cd7c

SHA256
4271666454c7cefcb85e81e70ec11dc91ddfe814ee907bdb2c138390aac02463

SHA512
af9487c00b1aadeb7c3eaf121cebfab595053bb55903af2af2158595b6987be2e65a0f988e6d2addbed17ce8b40348de2b24602d374d2f2f2a2b9590f7ae18b9

Download Submit
memory/848-1120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1392-627-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/1392-623-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/2376-22-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2376-583-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-20-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2376-1129-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-21-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/2376-23-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/2376-1127-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-1124-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-1051-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-620-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-27-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-819-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-26-0x00000000009F1000-0x0000000000A1F000-memory.dmp

Filesize
184KB

Download
memory/2376-24-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2376-590-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-19-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/2376-17-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-581-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-1135-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-496-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-25-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/2376-1137-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2376-1122-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2404-4-0x0000000000820000-0x0000000000CE2000-memory.dmp

Filesize
4.8MB

Download
memory/2404-1-0x0000000077394000-0x0000000077396000-memory.dmp

Filesize
8KB

Download
memory/2404-3-0x0000000000820000-0x0000000000CE2000-memory.dmp

Filesize
4.8MB

Download
memory/2404-2-0x0000000000821000-0x000000000084F000-memory.dmp

Filesize
184KB

Download
memory/2404-16-0x0000000000820000-0x0000000000CE2000-memory.dmp

Filesize
4.8MB

Download
memory/2404-0-0x0000000000820000-0x0000000000CE2000-memory.dmp

Filesize
4.8MB

Download
memory/2428-624-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/2428-628-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/3372-1130-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/3372-1132-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Filesize
4.8MB

Download
memory/3924-1034-0x00000000006C0000-0x0000000000744000-memory.dmp

Filesize
528KB

Download
memory/4952-568-0x0000000000400000-0x00000000031E4000-memory.dmp

Filesize
45.9MB

Download
memory/4952-536-0x0000000000400000-0x00000000031E4000-memory.dmp

Filesize
45.9MB

Download
memory/5520-582-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5520-1125-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5520-724-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5520-1121-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5520-1123-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5520-610-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5520-723-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5520-1134-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5520-1128-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5520-1136-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5520-1052-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/5564-1100-0x0000000000D30000-0x0000000000D82000-memory.dmp

Filesize
328KB

Download
memory/5872-580-0x00000000001D0000-0x0000000000698000-memory.dmp

Filesize
4.8MB

Download
memory/5872-566-0x00000000001D0000-0x0000000000698000-memory.dmp

Filesize
4.8MB

Download
memory/5920-901-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/5920-894-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5920-900-0x0000000005A90000-0x0000000006034000-memory.dmp

Filesize
5.6MB

Download
memory/5920-902-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/5920-1059-0x0000000006E20000-0x0000000006E86000-memory.dmp

Filesize
408KB

Download
memory/5920-1067-0x00000000092A0000-0x0000000009462000-memory.dmp

Filesize
1.8MB

Download
memory/5920-1068-0x00000000099A0000-0x0000000009ECC000-memory.dmp

Filesize
5.2MB

Download
memory/5920-1069-0x00000000091D0000-0x0000000009220000-memory.dmp

Filesize
320KB

Download
memory/5920-919-0x00000000062C0000-0x0000000006336000-memory.dmp

Filesize
472KB

Download
memory/5920-920-0x0000000006A40000-0x0000000006A5E000-memory.dmp

Filesize
120KB

Download
memory/5920-923-0x00000000073D0000-0x00000000079E8000-memory.dmp

Filesize
6.1MB

Download
memory/5920-925-0x00000000072D0000-0x00000000072E2000-memory.dmp

Filesize
72KB

Download
memory/5920-926-0x0000000007330000-0x000000000736C000-memory.dmp

Filesize
240KB

Download
memory/5920-924-0x0000000008C50000-0x0000000008D5A000-memory.dmp

Filesize
1.0MB

Download
memory/5920-927-0x0000000007370000-0x00000000073BC000-memory.dmp

Filesize
304KB

Download
memory/6060-1001-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/6060-1029-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/6060-1005-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/6060-1004-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/6060-1002-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/6304-929-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/6304-928-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/6304-931-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/6756-878-0x000002AA1C5B0000-0x000002AA1C5D2000-memory.dmp

Filesize
136KB

Download
memory/6792-1033-0x0000000000A00000-0x0000000000A86000-memory.dmp

Filesize
536KB

Download
memory/6804-1053-0x00007FF710430000-0x00007FF710F08000-memory.dmp

Filesize
10.8MB

Download
memory/6804-1070-0x00007FF710430000-0x00007FF710F08000-memory.dmp

Filesize
10.8MB

Download
memory/6968-1007-0x00007FF70B120000-0x00007FF70C35E000-memory.dmp

Filesize
18.2MB

Download
memory/7060-1131-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/7060-1133-0x0000000000A60000-0x0000000000F28000-memory.dmp

Filesize
4.8MB

Download
memory/7104-1230-0x000002637AE80000-0x000002637AE81000-memory.dmp

Filesize
4KB

Download
memory/7104-1228-0x000002637AE80000-0x000002637AE81000-memory.dmp

Filesize
4KB

Download
memory/7104-1226-0x000002637AE80000-0x000002637AE81000-memory.dmp

Filesize
4KB

Download
memory/7104-1224-0x000002637AE80000-0x000002637AE81000-memory.dmp

Filesize
4KB

Download
memory/7104-1222-0x000002637AE80000-0x000002637AE81000-memory.dmp

Filesize
4KB

Download
memory/7104-1221-0x000002637AE70000-0x000002637AE71000-memory.dmp

Filesize
4KB

Download
memory/7104-1232-0x000002637AE80000-0x000002637AE81000-memory.dmp

Filesize
4KB

Download