Overview

overview

10

Static

static

3

2df513e280...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2024, 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2df513e280f0f7db763e4c3a2c13e984240991e565f06972feabbbdd4b6901dd.exe

  • Size

    7.1MB

  • MD5

    40df460f6b8f9bd43677d5205612e43c

  • SHA1

    88f398954b15732bf03fb31d81b74876fef4164c

  • SHA256

    2df513e280f0f7db763e4c3a2c13e984240991e565f06972feabbbdd4b6901dd

  • SHA512

    96f301985eeb5a8d9511343ba8c306b551c4cb9f75ffd98cb8259d60fe98f91216dc93701903f81755dbd3dbcf63f6251086d310c8fadd58939bcf2da35451f0

  • SSDEEP

    98304:rqvOLVHbyr6dilKumH9YR4506seVhF5O2l7bQ8hK1o6cm48KV92Ajhm8KokVDmZn:+vO9ymI0tU40rG/4M701rbjVm2

Score
10/10
amadeylummastealc9c9aa5marsdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://preside-comforter.sbs

https://savvy-steereo.sbs

https://copper-replace.sbs

https://record-envyp.sbs

https://slam-whipp.sbs

https://wrench-creter.sbs

https://looky-marked.sbs

https://plastic-mitten.sbs

https://hallowed-noisy.sbs

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 28 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 23 IoCs
  • Identifies Wine through registry keys 2 TTPs 14 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 23 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 29 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2df513e280f0f7db763e4c3a2c13e984240991e565f06972feabbbdd4b6901dd.exe
    "C:\Users\Admin\AppData\Local\Temp\2df513e280f0f7db763e4c3a2c13e984240991e565f06972feabbbdd4b6901dd.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7P91.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7P91.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\X9f77.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\X9f77.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1c58u4.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1c58u4.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1736
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Users\Admin\AppData\Local\Temp\1009881001\da2b6b55d7.exe
              "C:\Users\Admin\AppData\Local\Temp\1009881001\da2b6b55d7.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4448
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1672
                7⤵
                • Program crash
                PID:1204
            • C:\Users\Admin\AppData\Local\Temp\1009882001\marktext-setup.exe
              "C:\Users\Admin\AppData\Local\Temp\1009882001\marktext-setup.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1060
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq MarkText.exe" | find "MarkText.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2580
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq MarkText.exe"
                  8⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2972
                • C:\Windows\SysWOW64\find.exe
                  find "MarkText.exe"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2352
            • C:\Users\Admin\AppData\Local\Temp\1009884001\6451cb07ee.exe
              "C:\Users\Admin\AppData\Local\Temp\1009884001\6451cb07ee.exe"
              6⤵
              • Enumerates VirtualBox registry keys
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3684
            • C:\Users\Admin\AppData\Local\Temp\1009889001\09f2fe6dc7.exe
              "C:\Users\Admin\AppData\Local\Temp\1009889001\09f2fe6dc7.exe"
              6⤵
              • Enumerates VirtualBox registry keys
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1976
            • C:\Users\Admin\AppData\Local\Temp\1009890001\e0d8809da3.exe
              "C:\Users\Admin\AppData\Local\Temp\1009890001\e0d8809da3.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3648
            • C:\Users\Admin\AppData\Local\Temp\1009891001\5b5f932772.exe
              "C:\Users\Admin\AppData\Local\Temp\1009891001\5b5f932772.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3768
            • C:\Users\Admin\AppData\Local\Temp\1009892001\f80becfccf.exe
              "C:\Users\Admin\AppData\Local\Temp\1009892001\f80becfccf.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1588
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM firefox.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:756
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM chrome.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3640
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM msedge.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4540
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM opera.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3988
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM brave.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4688
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                7⤵
                  PID:4456
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                    8⤵
                    • Checks processor information in registry
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:2100
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e692c449-bf57-4c01-9514-4103837e23dd} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" gpu
                      9⤵
                        PID:5020
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9269fcc3-677f-49b8-8eeb-0928aa9ad92c} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" socket
                        9⤵
                          PID:5080
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1348 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 2832 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74584b0d-3741-4eb1-a43d-e9c33eb41bbd} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
                          9⤵
                            PID:4720
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -childID 2 -isForBrowser -prefsHandle 4156 -prefMapHandle 4152 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38f00165-83c3-4f4e-824b-8f3b62de069c} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
                            9⤵
                              PID:840
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4912 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4904 -prefMapHandle 4900 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa8dbf69-f029-4555-869d-029dc6c6251e} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" utility
                              9⤵
                              • Checks processor information in registry
                              PID:6816
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 3 -isForBrowser -prefsHandle 5496 -prefMapHandle 5652 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2e4a531-edb2-4d34-a1c8-cf7553b721d2} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
                              9⤵
                                PID:5796
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2029b3f6-76e2-408e-b905-4ccc319a366c} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
                                9⤵
                                  PID:5840
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 5 -isForBrowser -prefsHandle 6052 -prefMapHandle 6048 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5aa352f-62f0-4b58-afab-9d9d4b741de5} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
                                  9⤵
                                    PID:5852
                            • C:\Users\Admin\AppData\Local\Temp\1009893001\fd7ce4a852.exe
                              "C:\Users\Admin\AppData\Local\Temp\1009893001\fd7ce4a852.exe"
                              6⤵
                              • Modifies Windows Defender Real-time Protection settings
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Windows security modification
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4644
                        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Z9297.exe
                          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Z9297.exe
                          4⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1140
                      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3v46K.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3v46K.exe
                        3⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4180
                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4x526k.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4x526k.exe
                      2⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:972
                  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4768
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4448 -ip 4448
                    1⤵
                      PID:4868
                    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                      1⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3104
                    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                      1⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5096
                    • C:\Users\Admin\AppData\Local\Programs\MarkText\MarkText.exe
                      "C:\Users\Admin\AppData\Local\Programs\MarkText\MarkText.exe"
                      1⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of WriteProcessMemory
                      PID:3176
                      • C:\Users\Admin\AppData\Local\Programs\MarkText\MarkText.exe
                        C:\Users\Admin\AppData\Local\Programs\MarkText\MarkText.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\marktext /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\marktext\Crashpad --url=http://0.0.0.0/ --annotation=_companyName=marktext --annotation=_productName=marktext --annotation=_version=0.17.1 --annotation=prod=Electron --annotation=ver=15.4.0 --initial-client-data=0x468,0x470,0x474,0x444,0x478,0x7ff717ce4730,0x7ff717ce4740,0x7ff717ce4750
                        2⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:2896
                      • C:\Users\Admin\AppData\Local\Programs\MarkText\MarkText.exe
                        "C:\Users\Admin\AppData\Local\Programs\MarkText\MarkText.exe" --type=gpu-process --field-trial-handle=1704,12302096962988457440,8946573156822526280,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\marktext" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 /prefetch:2
                        2⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:4784
                      • C:\Users\Admin\AppData\Local\Programs\MarkText\MarkText.exe
                        "C:\Users\Admin\AppData\Local\Programs\MarkText\MarkText.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,12302096962988457440,8946573156822526280,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\marktext" --mojo-platform-channel-handle=2184 /prefetch:8
                        2⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2108
                      • C:\Users\Admin\AppData\Local\Programs\MarkText\MarkText.exe
                        "C:\Users\Admin\AppData\Local\Programs\MarkText\MarkText.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\marktext" --app-user-model-id=electron.app.MarkText --app-path="C:\Users\Admin\AppData\Local\Programs\MarkText\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1704,12302096962988457440,8946573156822526280,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:1
                        2⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4552
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:1632

                      Network

                      MITRE ATT&CK Enterprise v15

                      Reconnaissance

                      Resource Development

                      Initial Access

                      Execution

                      Persistence

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Create or Modify System Process

                      1
                      T1543

                      Windows Service

                      1
                      T1543.003

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Create or Modify System Process

                      1
                      T1543

                      Windows Service

                      1
                      T1543.003

                      Defense Evasion

                      Impair Defenses

                      2
                      T1562

                      Disable or Modify Tools

                      2
                      T1562.001

                      Modify Registry

                      3
                      T1112

                      Virtualization/Sandbox Evasion

                      3
                      T1497

                      Credential Access

                      Discovery

                      Process Discovery

                      1
                      T1057

                      Query Registry

                      8
                      T1012

                      System Information Discovery

                      4
                      T1082

                      System Location Discovery

                      1
                      T1614

                      System Language Discovery

                      1
                      T1614.001

                      Virtualization/Sandbox Evasion

                      3
                      T1497

                      Lateral Movement

                      Collection

                      Command and Control

                      Exfiltration

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DWZNJ32\download[1].htm
                        Filesize

                        1B

                        MD5

                        cfcd208495d565ef66e7dff9f98764da

                        SHA1

                        b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                        SHA256

                        5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                        SHA512

                        31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json
                        Filesize

                        19KB

                        MD5

                        4b675f54e9c749f9a374eb83e4278b01

                        SHA1

                        d5329a4f2ae3116af3b8a2352798b1eb5a1e5008

                        SHA256

                        0496f4c4dfb716e86a9e646bd9ac14fa848d23b9deaeeb5137b2be53c8061808

                        SHA512

                        b28696b04e48b319655f2f81cd744413fd1e3cf1ee85a80b8fc4f44d2e1eab276f92b6c5d45267a5d745aa933e78bf51b6cf467ee7448af363668cc805550ed8

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\chrome_100_percent.pak
                        Filesize

                        138KB

                        MD5

                        0fd0a948532d8c353c7227ae69ed7800

                        SHA1

                        c6679bfb70a212b6bc570cbdf3685946f8f9464c

                        SHA256

                        69a3916ed3a28cd5467b32474a3da1c639d059abbe78525a3466aa8b24c722bf

                        SHA512

                        0ee0d16ed2afd7ebd405dbe372c58fd3a38bb2074abc384f2c534545e62dfe26986b16df1266c5807a373e296fe810554c480b5175218192ffacd6942e3e2b27

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\chrome_200_percent.pak
                        Filesize

                        202KB

                        MD5

                        1014a2ee8ee705c5a1a56cda9a8e72ee

                        SHA1

                        5492561fb293955f30e95a5f3413a14bca512c30

                        SHA256

                        ed8afe63f5fc494fd00727e665f7f281600b09b4f4690fa15053a252754e9d57

                        SHA512

                        ac414855c2c1d6f17a898418a76cce49ad025d24c90c30e71ad966e0fd6b7286acf456e9f5a6636fd16368bc1a0e8b90031e9df439b3c7cd5e1e18b24a32c508

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\ffmpeg.dll
                        Filesize

                        2.6MB

                        MD5

                        5ea2d76397b15c93389259dac0662b71

                        SHA1

                        da812692d8982ef45b31480c9eac0990bd4c3631

                        SHA256

                        e097e446a3295659d56828fbb3b566114d374956563ef0bc2ba204289bb39988

                        SHA512

                        cee60c1a5044fc8b03ff5cc402ddc70d9ab3c0bd894ad99da629aeecc6b1a7d3708b500103d31c72332d1e4c6535c30d7140096d311189bbc7392941d6eaac18

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\icudtl.dat
                        Filesize

                        9.7MB

                        MD5

                        224ba45e00bbbb237b34f0facbb550bf

                        SHA1

                        1b0f81da88149d9c610a8edf55f8f12a87ca67de

                        SHA256

                        8dee674ccd2387c14f01b746779c104e383d57b36c2bdc8e419c470a3d5ffadc

                        SHA512

                        c04d271288dd2eff89d91e31829586706eba95ffbab0b75c2d202a4037e66a4e2205e8a37ecf15116302c51239b1826064ed4670a3346439470b260aba0ea784

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\locales\en-US.pak
                        Filesize

                        95KB

                        MD5

                        214e2b52108bbde227209a00664d30a5

                        SHA1

                        e2ac97090a3935c8aa7aa466e87b67216284b150

                        SHA256

                        1673652b703771ef352123869e86130c9cb7c027987753313b4c555a52992bab

                        SHA512

                        9029402daea1cbe0790f9d53adc6940c1e483930cf24b3a130a42d6f2682f7c2d6833f2cd52f2417009c3655fed6a648b42659729af3c745eaa6c5e8e2b5bb9e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\resources.pak
                        Filesize

                        5.6MB

                        MD5

                        f616d69f6e582582930d06c5c18f0f70

                        SHA1

                        fde8e2653f2a5317492105bcabeb3565faaf74de

                        SHA256

                        bba807d7822c4317fd097da4a442b4206cb940d077cc127c42c1e29cf72fa855

                        SHA512

                        492e678860f240a62094f696a5e50f408f881c903fce655e18ac6450e3b88befde56778c7ffd20f22561fef07671f6c2f7463ffdd8a17fa2c82e072aee736016

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\resources\app.asar.unpacked\node_modules\ced\build\Release\ced.node
                        Filesize

                        955KB

                        MD5

                        52e4b307a01a0be4f68182e1122b495e

                        SHA1

                        56d8be9b55a5fd3dd6c2c50a70970528be1bee74

                        SHA256

                        4e689695898af1fbec34f9a178743485be6d76fa98a5b9e3124112e828a30f73

                        SHA512

                        e6eb94ed438b9f2b878f7047694f2da8c93af824825e941e5ca51360d2bd6ce31aa15231cf30429e2b5877f201b3f74b62cee67b74a190ec6541bf72cfc095cf

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node
                        Filesize

                        693KB

                        MD5

                        776a06934bbc0b9bdee1081b9b813c47

                        SHA1

                        769717f3e8a991ac721546d5e2f736af344ee6fb

                        SHA256

                        9445e7925fcff2eb4e92a7447e6be984cd2834a50ab9629a24d0754c45577b7b

                        SHA512

                        d2de52758de3ff7453c5af941ec4c3062bab8e3e06aeadb939816cd49ad046cf8d5c3fd30c8a8286a1825ae3df8ef4b650d9819c914d778a10ff2e43b931c906

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\resources\app.asar.unpacked\node_modules\native-keymap\build\Release\keymapping.node
                        Filesize

                        667KB

                        MD5

                        c3bc5d9493a2727c5f8045f49a75c43a

                        SHA1

                        df56e8eabb8919d8d7c3ece3f677f7ecb68d635d

                        SHA256

                        c7700b16136096b88d6c75c5a5466cf303d9bc62be6550abba383b9bfe14d04b

                        SHA512

                        94a007269d1d7c897282998dd795c6400052d36a66f7d1af235604e7893966d0f606af5cf9e720511dd8b3a1f3a9827f5c812d5e5365d41de9588fb24468d8b2

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\resources\md.ico
                        Filesize

                        102KB

                        MD5

                        2fcb7d6381c2e83b1b5aced2def8ba44

                        SHA1

                        84256dfdb7578a26325ba09dffbd94850b4f8367

                        SHA256

                        afdb3e0adb95c8c256ce49dbb7d4b01818fa00cd7464cec8ccecf0a7cc6b5d4d

                        SHA512

                        2efe31a0f68e350e82f7d819e4cf42623e9d77ef9d60a0a9c681e1118ed4e94182506d32ab4dd49d39a839466bd2ec0c6b6d088176763672fd1c9f3b43dca532

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Programs\MarkText\v8_context_snapshot.bin
                        Filesize

                        160KB

                        MD5

                        89f5b9dc2c1eccfce7c3681b8066125f

                        SHA1

                        273175d93ae554da7f63a6475426a6515d0c8cd1

                        SHA256

                        7f148fb442066d6904f774ec588e667d82f237523cf62c10fbb4240d30d2de91

                        SHA512

                        469a87f53b5815c5d091cc87e3845e56fe45115efba4c48efc28064283e966f9e106103038f1c13650da43e64fa6b89fd0535338ae5b4f102e75160998fd1d61

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1009881001\da2b6b55d7.exe
                        Filesize

                        1.9MB

                        MD5

                        b2d9e9b305c92045dfdf886cf0287182

                        SHA1

                        f983caca99ef85aae37d6fa602bab335f99c91dc

                        SHA256

                        ae564d1f04bda2b085436a00ff9a1a210360748e313994297cb4718b11e9bf92

                        SHA512

                        cdfc38b48f730a258381a83a9eaaa9bee38dbce95ac97fe60d0ded1419b288dba9f779796af4342d6fced67f7cd6b01568fa4e4f6f4115ee8351d84ad0bcae13

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1009884001\6451cb07ee.exe
                        Filesize

                        4.3MB

                        MD5

                        2ba6fe9428da32103bb44c955939208d

                        SHA1

                        145b071306f5ad32a9385ff9f89bae6a1ec968e9

                        SHA256

                        1d64908fcbd9560615576da2b9b41ce76fafb939a0f04f559301a1946db4e936

                        SHA512

                        044e8a36a5e03c9c406a4b3f2fdcd3057412875e1ebd4456aeb257bf622570826c665206d0ac5468ee6bf5b5642910a3c41a08cfdd7fc9c711561d31322854f0

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1009889001\09f2fe6dc7.exe
                        Filesize

                        4.2MB

                        MD5

                        0b55af827f58acea8620d659bd36e403

                        SHA1

                        b4003822554e2fe1692c70015008117e568fee63

                        SHA256

                        2079c5692d574fe0be41b7493a7dd3b455d2ab439ea7f0becc49c6584261e396

                        SHA512

                        580b484dd3828a932966668d797c5931c2b7cee6695008e853cdd657f43da867ba25ee2ac43b1193750a3028c09c875e75cbb8c1b6866994ebb8a06508d7ac95

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1009890001\e0d8809da3.exe
                        Filesize

                        1.8MB

                        MD5

                        d1675a39609d5cd41c268e70711c7ee5

                        SHA1

                        1c2ce4df65dd63ea4f9974ff4f211865f622636f

                        SHA256

                        74e0ddd212fdca922fdf9a3221d849201216b6155e23fb0ff0ffb14d23082fd8

                        SHA512

                        8bd077e975ec9e75f908017cfbe7d9b97d65a2ec6627ca88c3d95856200b9c938a423b82461ed7a501031553290f54c8837b0114594e5b26fa758c86c55f2de6

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1009891001\5b5f932772.exe
                        Filesize

                        1.7MB

                        MD5

                        45a44e016967a33a277601951d2b5e0d

                        SHA1

                        b8597c8004c973d34b1c3a72d93525b53ae28f9e

                        SHA256

                        549d3d44e4c8d9d5af2df736001d57a5794e0ef9428ae90fe54a574739356435

                        SHA512

                        7a9fdd3988ad301076e3bfe1a995d0359f29cf3377b59d7e3a0738cf2207066e0a9784eb113e13c7e3d2e50f97381bbc1ae84d4f1c8d355ff509067a7eb8766e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1009892001\f80becfccf.exe
                        Filesize

                        900KB

                        MD5

                        e95da9c734f70679a829c932bcc05884

                        SHA1

                        5e4b62499d9210732679c2d2c0c861f95d6c57b4

                        SHA256

                        cf8d0ac7e1d03c2bcbee68404434c91f160e5b429ef870fdc1a8b26d9ba1cc96

                        SHA512

                        53722efca75ba3447d74b2858c35b695ef4c585d3261814ced98702e7eef950b9d6889a22514af2d2ecb6c5b612fcc42e73da3b2ac49571a19d5cb2406229968

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1009893001\fd7ce4a852.exe
                        Filesize

                        2.6MB

                        MD5

                        2b03b480ec8647afe04d151fcb12ee99

                        SHA1

                        a1c3a8992aefbdc1b98275419e2971cdf306ecbb

                        SHA256

                        1641d8934363108f30946bdd68dbed807afa8a16c11b0908857ac6ae7015313e

                        SHA512

                        0d4ff2dbdef1192b1b536453ef9cb1a7d65769b05064d2f9ec3a159185bc370f3e12d238b1240e344c51f2f5e19899a4cb40110733469e5c1e94658f60566856

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4x526k.exe
                        Filesize

                        2.7MB

                        MD5

                        fe6b345ced53686b16f87f834af9eb17

                        SHA1

                        4d70ba2e5f890c6b3e5b723c3de82fa14fb0b13a

                        SHA256

                        172a34ccd02e38fc58a929884c68c1b51e9d995901cc6128538a04792a7d06ae

                        SHA512

                        63f38c5e6b0a84cfe9818e5bab77452b7b485b699d55d7e15b29fdcabd3d60ea00845f77318440b1c9b6daa6edd4103cb10bd21887d0029239b81ea680fe150f

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7P91.exe
                        Filesize

                        5.5MB

                        MD5

                        102d6abfebb1bce647e8cc6869061feb

                        SHA1

                        8c593bb304cbe83bad7bc9e964f2d524f6f70617

                        SHA256

                        293d3027a3e112bf0f2d8f270ce6d668349c97595c4bca5ea800a1be5b625957

                        SHA512

                        789be7787611f504d1e8b126f2ed9c38dc4e6416c971cf704cfee71a87f4ac02a6bdc5f239656da893eaf702486b3d6426901a392fd002d073d995599e4fe9eb

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3v46K.exe
                        Filesize

                        1.7MB

                        MD5

                        eff725edfb37ab797a338efab7f09c76

                        SHA1

                        9a1d9acc84b66da5111b21dd37b27d4d3d505a8e

                        SHA256

                        f5310d2651b5565f1bdf48d30b6ed328e4e831914e03945a0981a4b990b12ade

                        SHA512

                        45fc7cc9de1a00303b9c33f1df57940cedd77e849937a3c11a6888b968b66af259662551b9c5433747a84e5b6eb0cefd6acd5385ef13b2bbf2854c934fafbb3d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\X9f77.exe
                        Filesize

                        3.7MB

                        MD5

                        88fefb9aebb96ec822e07ed2c4987004

                        SHA1

                        b2aea74b9bcd7c6401cb25003894f377f5175816

                        SHA256

                        3144a0bef23db5cc5efe30ee83522f8f9e3dc7d2d83bcdc4d38db08fc5b34ab7

                        SHA512

                        7d18d4c404f68d7933882c676471e9e49e09dbf7a58bdb030e3efcfca861dac76950677cc2320baab5056281c95931f66ca245908b7dccd6a68b005d7ec00a26

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1c58u4.exe
                        Filesize

                        1.8MB

                        MD5

                        a93b02d857db3b12c32bd765b83825ab

                        SHA1

                        137f12047a081e6581e1d1a83c939d98514c3ff3

                        SHA256

                        553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa

                        SHA512

                        aab2bfd4090c77b87784d0110f5ee2dd24554fada9bdf9c2e8e08ff01a9025f5d8a7dfa2d4b89bf35cb037c162292a04f1084b87727b1bd201a9b5ab1b367bcd

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Z9297.exe
                        Filesize

                        1.8MB

                        MD5

                        d4aadd87af5fd4945bcbc76ff3d44e06

                        SHA1

                        55022b47287c2adef01bf8a5de17d320e3a507df

                        SHA256

                        d9afff60a7ef435234176904e6490409c99acd991a9cafe856f59b7e2064b486

                        SHA512

                        a89a6d0667d78e02b40f6e20868e7142a1c0866121daf22c1a686264b263b1467e1b4d377266d8a701ea93433fa0cda36307b0eba452e4c5a66c7a76ccdf7984

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\nsi63F1.tmp\StdUtils.dll
                        Filesize

                        100KB

                        MD5

                        c6a6e03f77c313b267498515488c5740

                        SHA1

                        3d49fc2784b9450962ed6b82b46e9c3c957d7c15

                        SHA256

                        b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

                        SHA512

                        9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\nsi63F1.tmp\System.dll
                        Filesize

                        12KB

                        MD5

                        0d7ad4f45dc6f5aa87f606d0331c6901

                        SHA1

                        48df0911f0484cbe2a8cdd5362140b63c41ee457

                        SHA256

                        3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

                        SHA512

                        c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\nsi63F1.tmp\UAC.dll
                        Filesize

                        14KB

                        MD5

                        adb29e6b186daa765dc750128649b63d

                        SHA1

                        160cbdc4cb0ac2c142d361df138c537aa7e708c9

                        SHA256

                        2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

                        SHA512

                        b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\nsi63F1.tmp\WinShell.dll
                        Filesize

                        3KB

                        MD5

                        1cc7c37b7e0c8cd8bf04b6cc283e1e56

                        SHA1

                        0b9519763be6625bd5abce175dcc59c96d100d4c

                        SHA256

                        9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

                        SHA512

                        7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\nsi63F1.tmp\nsDialogs.dll
                        Filesize

                        9KB

                        MD5

                        466179e1c8ee8a1ff5e4427dbb6c4a01

                        SHA1

                        eb607467009074278e4bd50c7eab400e95ae48f7

                        SHA256

                        1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

                        SHA512

                        7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\nsi63F1.tmp\nsExec.dll
                        Filesize

                        6KB

                        MD5

                        ec0504e6b8a11d5aad43b296beeb84b2

                        SHA1

                        91b5ce085130c8c7194d66b2439ec9e1c206497c

                        SHA256

                        5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

                        SHA512

                        3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\nsi63F1.tmp\nsis7z.dll
                        Filesize

                        424KB

                        MD5

                        80e44ce4895304c6a3a831310fbf8cd0

                        SHA1

                        36bd49ae21c460be5753a904b4501f1abca53508

                        SHA256

                        b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

                        SHA512

                        c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
                        Filesize

                        2B

                        MD5

                        f3b25701fe362ec84616a93a45ce9998

                        SHA1

                        d62636d8caec13f04e28442a0a6fa1afeb024bbb

                        SHA256

                        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                        SHA512

                        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                        Filesize

                        8KB

                        MD5

                        4b93a69805dd20c1852c05d37d27baed

                        SHA1

                        1e42649f8a0a316d9e58aca392c5c74fefcd8c08

                        SHA256

                        4c17fa9ffae0921bd715e9c8712dea1559f6acc180e8a649abe1ed52037d18f7

                        SHA512

                        2948668e1d0b52ad954efbfc15f4db3c9fccb4909623566ff4c826b4e7ded827fdaa5326bddc943b0df52d4087e65e0f322b78616030ce56726192985867acda

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                        Filesize

                        12KB

                        MD5

                        1a7da26a7708fba6224d287834d73f46

                        SHA1

                        f066097240e9436c5ced49a0fe54498746bf7f93

                        SHA256

                        9e00cfeaf4d792c7cdf4a4f0059912cb1e3dbf14fbc7a9e0b719c22b1af9213e

                        SHA512

                        c0c930e6f77b2d485ab7fc1ee80c784ae4b9880b73c96b3bd4c6b831ce68ae3e75f0635d2dc881e9be7104c8aed4e2f1562abe6cbdd4557022e47e50bc07d37e

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                        Filesize

                        6KB

                        MD5

                        9b35a3fe774639256dd25a393431cc47

                        SHA1

                        56b7bfe2aadb20c4ac55644658a89dda8aaa32e4

                        SHA256

                        3c97765f80be88a9076c9c0794ec8fd208249ee883e0561f8b8885cf13a20b6e

                        SHA512

                        9f2cdb08d8d438f76b9ef7e3f87f4b2604f400eb05f5183978cdbdf3ca144cb125d16aea03399810464de3afc73f2426790d3aa4759b8914db44e01227329ce8

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        23KB

                        MD5

                        a98fcd29f35206adff9325c41b634575

                        SHA1

                        e1af09cb810e36387cdcf949e2cfdbb0bee0cfdf

                        SHA256

                        6344d54b2fd7fc2a84eed7f1cf6eb280a557ffea6b6c80a02c99d3b511225cc1

                        SHA512

                        b0bed7bc71d662fefd9d6065ea5d440d771350a70748430895c2e992427fe44708309ea543c0fbf52700e17039be353223bc078f7fd56e0996c0ec38b6d442d0

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        5KB

                        MD5

                        ae220b2051fa949d27f7f2562218c700

                        SHA1

                        49987d885d38ed15e8ebd9629e5f2eb81b711a2b

                        SHA256

                        452b2789a6d1a11e22eb48e98e5af63c476985b9459abda8d08a43b36b011a24

                        SHA512

                        ff2bb8abea4e50475a83411395cbc9f3e73baa737b29419d84327ef3df756f7765007ece2a5403ca951613852222c6f90715ba2e293f0cf748234f4cce97bf42

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                        Filesize

                        5KB

                        MD5

                        d9eb15cf205eec3c05ff20d420d2b560

                        SHA1

                        61f21f9fe53568fa01b8ece9d3ff34c6074e9e56

                        SHA256

                        a50bfc9cbe2b65e93dac277d04971c80f4b89e7b1ed0d98442a3c91fab255f95

                        SHA512

                        4e050083c64c441af6de160b1b60007abf0f8c932c248897d1e8571862c9a09d2415c5f1c2313da35c169aac00c3f461a580360720ec4d6659c20ea51109c270

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                        Filesize

                        6KB

                        MD5

                        16488a58ecafe108d87911e51d54b18f

                        SHA1

                        6adafa62fed5654144257582fad0fc97e89f34eb

                        SHA256

                        dbe795c772f4283f78098986f476ea754141911c609c80ec41bfdd15edbd66b3

                        SHA512

                        b5f66bc05eb1a9fc54cbf746dd9d696651686f779b7f4dfdac21b355f734f64cd27b8f1b5e8464ed39ba6f729a50507638f8063e96221cc47979a97330ae96a9

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\351bf7eb-97da-4b1b-9e00-8966f5170dab
                        Filesize

                        982B

                        MD5

                        eedca65f88daa91ad531f49847d216f9

                        SHA1

                        b9afbe4d45e2f079d9603dfeacd6cc37354ddeb5

                        SHA256

                        3755611ba1c58fd737cfc7a2e4f0a72abdbda720c21e10b82bde94f05ed6d381

                        SHA512

                        e6c5a5454bb7706108d1c1e678037ee582815776de2a36296667da493caf4ad5e22826ab359cfe071033030d4b8e9f32169b7f44b19127ac63b5b693b839fb37

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\472ba98b-2e03-4652-8b95-9276c822e114
                        Filesize

                        671B

                        MD5

                        fea248bb1a23cf8c9108b8637f8132fd

                        SHA1

                        f01a09c140718525f9f28c6801acbbfceb66eb62

                        SHA256

                        d3cde1f181a7bcea4193518db71ce9f7d29482ae0f242bf87205572142c172b1

                        SHA512

                        a0432bc8e92f52ffa36e12a3e32808402bbf0fc4544ea37467dd7a4295d29ea604bc8f06c3c35bd20b60bb6fbe7202d5048e8af59b2b5107a7ce2264f6568025

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\5b538e28-6ace-4be3-a6d4-ac8d937ddc93
                        Filesize

                        26KB

                        MD5

                        34358bfc499ed728efb9874d46b94fc6

                        SHA1

                        32f96676961365b337761347659133bc3abf8b6c

                        SHA256

                        507d24188a0e31927873fa4fc604b71d615a2273d679d93ec1e6d5028c17afad

                        SHA512

                        4319357c3f5c2c4c545d4049669c07046ac6e089af3a098595a8227d3286741b86003bba50f8bfc9c1cdd234317b974d1e8434ae3c481dec5fbe8384537c661b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js
                        Filesize

                        10KB

                        MD5

                        570ea7aab417cd4d5d901f67dc04c9ab

                        SHA1

                        3c6f59a82f110e07b89170ac4664f9096e92c2fd

                        SHA256

                        3dff565819a9f80a79c48224c046b36e4416ad72162cb4b0d1a28008e155fa91

                        SHA512

                        fd8190883ffde941d1a3488db4036337b750f8e519898adf4032cc66b990031837bfcd5c23557195f162ac7ac22c7964d4c092bdbb9b8ccece72fc2f58723e3f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js
                        Filesize

                        10KB

                        MD5

                        cbb85f0e7a88b2e0108eefa691bdfeba

                        SHA1

                        4c4f9b8496e0d54f37742175839df5b51883fbf1

                        SHA256

                        35963c3bcdcac15a5aacae52487a280096c5ac36f43175a18411ee03072141bd

                        SHA512

                        3cd10e59a6e249fd2fb5aeb9a6efa67c4ae2e783ca9e27be88c823880f829c0157652fe628ec40cb322118bf438f4924cf1ba859f00c5b7656ed3054aeb47aab

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\marktext\Crashpad\settings.dat
                        Filesize

                        40B

                        MD5

                        c5251eeb607c03294894d3883babf9f1

                        SHA1

                        c835eaf264fbd8912e5e98728a135ab4c5c0a691

                        SHA256

                        c1c392073d4fb42caea355497b54237c3d22985fe466da72526d6c4f16e2d429

                        SHA512

                        2b9493b63074c9f7856163f2984c75615cbade6e5ae5e9555f6054c94ea9a6609762fb5b654e68b7ab1d34d9689e61145f03bdfc54e93c0a1a7ec1596bb8009e

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\marktext\dataCenter.json
                        Filesize

                        313B

                        MD5

                        4f43f528f170e1b5f0e5aee16279267a

                        SHA1

                        9a93d4836fa94776c47dae1c1d195a45f6828a9d

                        SHA256

                        a1576aec7f47d7e3b2176117e8d0d91769582d95f1d26af2765d160a50ed2cc4

                        SHA512

                        d1a19e0f24be8e8eb26927a9314c8e9aa848c2c46ea3d6d982ba8c5c8044f2747fc8a5d66b4723dde97ba2790bfd8455bf56505d1e836cb1374c2048c820174c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\marktext\preferences.json
                        Filesize

                        1KB

                        MD5

                        f80b68e5edad00533d1e792055d48f59

                        SHA1

                        d1808a570c4647495637562bcfbfd600c5aec804

                        SHA256

                        b47e450b379ff4c2837719c5f64cd388528334af1a938f097b0fbed084a690cd

                        SHA512

                        0689c20f1ebb332e6927b31edc060617d5d2e9870b7b9ba17a9ce5e9d79316bf54843935b0112537c840e311306b6c92472e1eb38e4114af680622056f730550

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\marktext\preferences.json.tmp-27976657224f3553
                        Filesize

                        1KB

                        MD5

                        2c46fd1375a55c1cbf8587b8faf9beea

                        SHA1

                        78e0defdd59467848892b167c2a061475bb780d1

                        SHA256

                        b47e968c6ceda86f6c544d04d87faf074064457efae079ad04e367de32e019a9

                        SHA512

                        dc9d22369d5938ab2bca26d83d4e159e65c2c4b114e0f88cce51f3f8efc2307bca8fe9570ed497de9a558cd41c195c7fb72cf2ad139555e90b7cb20d5bb5c3c1

                        Download Submit

                      • memory/972-81-0x0000000000D00000-0x0000000000FC2000-memory.dmp

                        Filesize

                        2.8MB

                        Download

                      • memory/972-51-0x0000000000D00000-0x0000000000FC2000-memory.dmp

                        Filesize

                        2.8MB

                        Download

                      • memory/972-50-0x0000000000D00000-0x0000000000FC2000-memory.dmp

                        Filesize

                        2.8MB

                        Download

                      • memory/972-48-0x0000000000D00000-0x0000000000FC2000-memory.dmp

                        Filesize

                        2.8MB

                        Download

                      • memory/972-86-0x0000000000D00000-0x0000000000FC2000-memory.dmp

                        Filesize

                        2.8MB

                        Download

                      • memory/1140-40-0x0000000000500000-0x00000000009B7000-memory.dmp

                        Filesize

                        4.7MB

                        Download

                      • memory/1140-39-0x0000000000500000-0x00000000009B7000-memory.dmp

                        Filesize

                        4.7MB

                        Download

                      • memory/1736-34-0x0000000000090000-0x0000000000556000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/1736-21-0x0000000000090000-0x0000000000556000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/1976-326-0x00000000006C0000-0x000000000131A000-memory.dmp

                        Filesize

                        12.4MB

                        Download

                      • memory/1976-404-0x00000000006C0000-0x000000000131A000-memory.dmp

                        Filesize

                        12.4MB

                        Download

                      • memory/2564-116-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-33-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-68-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-476-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-110-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-1368-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-111-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-79-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-91-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-208-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-118-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-119-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-120-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-117-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-109-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2564-98-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/3104-115-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/3104-113-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/3648-395-0x00000000006E0000-0x0000000000B79000-memory.dmp

                        Filesize

                        4.6MB

                        Download

                      • memory/3648-453-0x00000000006E0000-0x0000000000B79000-memory.dmp

                        Filesize

                        4.6MB

                        Download

                      • memory/3684-176-0x0000000000330000-0x0000000000F37000-memory.dmp

                        Filesize

                        12.0MB

                        Download

                      • memory/3684-327-0x0000000000330000-0x0000000000F37000-memory.dmp

                        Filesize

                        12.0MB

                        Download

                      • memory/3768-471-0x0000000000F20000-0x00000000015B5000-memory.dmp

                        Filesize

                        6.6MB

                        Download

                      • memory/3768-475-0x0000000000F20000-0x00000000015B5000-memory.dmp

                        Filesize

                        6.6MB

                        Download

                      • memory/4180-44-0x0000000000D00000-0x0000000001389000-memory.dmp

                        Filesize

                        6.5MB

                        Download

                      • memory/4180-45-0x0000000000D00000-0x0000000001389000-memory.dmp

                        Filesize

                        6.5MB

                        Download

                      • memory/4448-102-0x0000000000400000-0x00000000008C3000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/4448-108-0x0000000000400000-0x00000000008C3000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/4448-95-0x0000000000400000-0x00000000008C3000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/4448-88-0x0000000000400000-0x00000000008C3000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/4448-67-0x0000000000400000-0x00000000008C3000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/4448-75-0x0000000010000000-0x000000001001C000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/4644-655-0x0000000000730000-0x00000000009E2000-memory.dmp

                        Filesize

                        2.7MB

                        Download

                      • memory/4644-656-0x0000000000730000-0x00000000009E2000-memory.dmp

                        Filesize

                        2.7MB

                        Download

                      • memory/4644-653-0x0000000000730000-0x00000000009E2000-memory.dmp

                        Filesize

                        2.7MB

                        Download

                      • memory/4644-1387-0x0000000000730000-0x00000000009E2000-memory.dmp

                        Filesize

                        2.7MB

                        Download

                      • memory/4768-72-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/4784-575-0x00007FFBA6B50000-0x00007FFBA6B51000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/5096-463-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/5096-473-0x0000000000DC0000-0x0000000001286000-memory.dmp

                        Filesize

                        4.8MB

                        Download