umbral | hxxps://bit[.]ly/42E3zSU

Analysis

max time kernel
137s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/42E3zSU

Score

10^/10

umbral defense_evasion discovery execution spyware stealer trojan

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000242ff-429.dat	family_umbral
behavioral1/memory/2652-437-0x00000251EE420000-0x00000251EE460000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Launcher.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3324	powershell.exe
2492	powershell.exe
4664	powershell.exe
3972	powershell.exe
4176	powershell.exe
5508	powershell.exe
5260	powershell.exe
4516	powershell.exe
2184	powershell.exe
3956	powershell.exe
2288	powershell.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Launcher.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation	Launcher.exe

Executes dropped EXE 12 IoCs

pid	Process
1772	Launcher.exe
2856	VRTPetSim99.exe
2652	VRT.exe
3652	Launcher.exe
5456	Launcher.exe
5340	VRTPetSim99.exe
2508	VRT.exe
4092	Launcher.exe
960	Launcher.exe
2136	VRTPetSim99.exe
2288	VRT.exe
1348	Launcher.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Launcher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Launcher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Launcher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
147	discord.com
148	discord.com
154	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
136	ip-api.com
196	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3652	Launcher.exe
4092	Launcher.exe
1348	Launcher.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2980_16768107\deny_etld1_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2980_16768107\deny_full_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2980_16768107\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2980_116150602\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2980_116150602\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2980_16768107\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2980_116150602\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2980_116150602\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2980_116150602\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2980_16768107\deny_domains.list	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3516	PING.EXE
4872	cmd.exe
5500	PING.EXE
5852	cmd.exe
4792	PING.EXE
5504	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3444	wmic.exe
6064	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133890315833193152"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2645532622-3298555945-705856666-1000\{D5498042-C3D8-4901-96E4-6777BD52FFCE}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
896	NOTEPAD.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3516	PING.EXE
5500	PING.EXE
4792	PING.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2652	VRT.exe
2652	VRT.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
5260	powershell.exe
5260	powershell.exe
5260	powershell.exe
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2184	powershell.exe
2184	powershell.exe
2184	powershell.exe
2508	VRT.exe
2508	VRT.exe
4664	powershell.exe
4664	powershell.exe
4664	powershell.exe
3956	powershell.exe
3956	powershell.exe
3956	powershell.exe
2288	powershell.exe
2288	powershell.exe
2288	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe
3688	msedge.exe
3688	msedge.exe
2288	VRT.exe
2288	VRT.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe
4176	powershell.exe
4176	powershell.exe
4176	powershell.exe
5508	powershell.exe
5508	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4812	AUDIODG.EXE
Token: SeRestorePrivilege	3248	7zG.exe
Token: 35	3248	7zG.exe
Token: SeSecurityPrivilege	3248	7zG.exe
Token: SeSecurityPrivilege	3248	7zG.exe
Token: SeDebugPrivilege	2652	VRT.exe
Token: SeIncreaseQuotaPrivilege	2508	wmic.exe
Token: SeSecurityPrivilege	2508	wmic.exe
Token: SeTakeOwnershipPrivilege	2508	wmic.exe
Token: SeLoadDriverPrivilege	2508	wmic.exe
Token: SeSystemProfilePrivilege	2508	wmic.exe
Token: SeSystemtimePrivilege	2508	wmic.exe
Token: SeProfSingleProcessPrivilege	2508	wmic.exe
Token: SeIncBasePriorityPrivilege	2508	wmic.exe
Token: SeCreatePagefilePrivilege	2508	wmic.exe
Token: SeBackupPrivilege	2508	wmic.exe
Token: SeRestorePrivilege	2508	wmic.exe
Token: SeShutdownPrivilege	2508	wmic.exe
Token: SeDebugPrivilege	2508	wmic.exe
Token: SeSystemEnvironmentPrivilege	2508	wmic.exe
Token: SeRemoteShutdownPrivilege	2508	wmic.exe
Token: SeUndockPrivilege	2508	wmic.exe
Token: SeManageVolumePrivilege	2508	wmic.exe
Token: 33	2508	wmic.exe
Token: 34	2508	wmic.exe
Token: 35	2508	wmic.exe
Token: 36	2508	wmic.exe
Token: SeIncreaseQuotaPrivilege	2508	wmic.exe
Token: SeSecurityPrivilege	2508	wmic.exe
Token: SeTakeOwnershipPrivilege	2508	wmic.exe
Token: SeLoadDriverPrivilege	2508	wmic.exe
Token: SeSystemProfilePrivilege	2508	wmic.exe
Token: SeSystemtimePrivilege	2508	wmic.exe
Token: SeProfSingleProcessPrivilege	2508	wmic.exe
Token: SeIncBasePriorityPrivilege	2508	wmic.exe
Token: SeCreatePagefilePrivilege	2508	wmic.exe
Token: SeBackupPrivilege	2508	wmic.exe
Token: SeRestorePrivilege	2508	wmic.exe
Token: SeShutdownPrivilege	2508	wmic.exe
Token: SeDebugPrivilege	2508	wmic.exe
Token: SeSystemEnvironmentPrivilege	2508	wmic.exe
Token: SeRemoteShutdownPrivilege	2508	wmic.exe
Token: SeUndockPrivilege	2508	wmic.exe
Token: SeManageVolumePrivilege	2508	wmic.exe
Token: 33	2508	wmic.exe
Token: 34	2508	wmic.exe
Token: 35	2508	wmic.exe
Token: 36	2508	wmic.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	5260	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeIncreaseQuotaPrivilege	2276	wmic.exe
Token: SeSecurityPrivilege	2276	wmic.exe
Token: SeTakeOwnershipPrivilege	2276	wmic.exe
Token: SeLoadDriverPrivilege	2276	wmic.exe
Token: SeSystemProfilePrivilege	2276	wmic.exe
Token: SeSystemtimePrivilege	2276	wmic.exe
Token: SeProfSingleProcessPrivilege	2276	wmic.exe
Token: SeIncBasePriorityPrivilege	2276	wmic.exe
Token: SeCreatePagefilePrivilege	2276	wmic.exe
Token: SeBackupPrivilege	2276	wmic.exe
Token: SeRestorePrivilege	2276	wmic.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
3248	7zG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3852	2980	msedge.exe	83
PID 2980 wrote to memory of 3852	2980	msedge.exe	83
PID 2980 wrote to memory of 3788	2980	msedge.exe	84
PID 2980 wrote to memory of 3788	2980	msedge.exe	84
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 4900	2980	msedge.exe	85
PID 2980 wrote to memory of 1768	2980	msedge.exe	86
PID 2980 wrote to memory of 1768	2980	msedge.exe	86
PID 2980 wrote to memory of 1768	2980	msedge.exe	86
PID 2980 wrote to memory of 1768	2980	msedge.exe	86
PID 2980 wrote to memory of 1768	2980	msedge.exe	86
PID 2980 wrote to memory of 1768	2980	msedge.exe	86
PID 2980 wrote to memory of 1768	2980	msedge.exe	86
PID 2980 wrote to memory of 1768	2980	msedge.exe	86
PID 2980 wrote to memory of 1768	2980	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bit.ly/42E3zSU
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x324,0x7ffdae5df208,0x7ffdae5df214,0x7ffdae5df220
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1908,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2400,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:2
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2448,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3472,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4252,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4980,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:8
  2⤵
  PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4284,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5524,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5548,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5548,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5844,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6096,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6480,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6776,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6784,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6844,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=7092 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7084,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=7328 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7180,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=7380 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5424,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7152,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=7024 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6184,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=7340,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5320,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=868,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4948,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6416,i,15154329623058760299,1588517899639363439,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:8
  2⤵
  PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5592

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Script\" -spe -an -ai#7zMap29176:74:7zEvent10385
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3248

C:\Users\Admin\Downloads\Script\Launcher.exe
"C:\Users\Admin\Downloads\Script\Launcher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1772
- C:\Users\Admin\AppData\Roaming\VRTPetSim99.exe
  "C:\Users\Admin\AppData\Roaming\VRTPetSim99.exe"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Users\Admin\AppData\Roaming\VRT.exe
  "C:\Users\Admin\AppData\Roaming\VRT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VRT.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5640
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2184
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3444
- C:\Users\Admin\AppData\Roaming\Launcher.exe
  "C:\Users\Admin\AppData\Roaming\Launcher.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3652
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /C ping -n 8 127.0.0.1 > nul && rename "C:\Users\Admin\AppData\Roaming\Launcher.exe" "Launch_0GJulkPALSpYQuXKKI4Rq1HN.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5504
  - - C:\Windows\system32\PING.EXE
      ping -n 8 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3516

C:\Users\Admin\Downloads\Script\Launcher.exe
"C:\Users\Admin\Downloads\Script\Launcher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5456
- C:\Users\Admin\AppData\Roaming\VRTPetSim99.exe
  "C:\Users\Admin\AppData\Roaming\VRTPetSim99.exe"
  2⤵
  - Executes dropped EXE
  PID:5340
- C:\Users\Admin\AppData\Roaming\VRT.exe
  "C:\Users\Admin\AppData\Roaming\VRT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VRT.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2452
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:1072
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4036
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3972
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:6064
- C:\Users\Admin\AppData\Roaming\Launcher.exe
  "C:\Users\Admin\AppData\Roaming\Launcher.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4092
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /C ping -n 8 127.0.0.1 > nul && rename "C:\Users\Admin\AppData\Roaming\Launcher.exe" "Launch_Cprb2CxnOvRhxFbkE2mw0hGC.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4872
  - - C:\Windows\system32\PING.EXE
      ping -n 8 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5500

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Script\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:896

C:\Users\Admin\Downloads\Script\Launcher.exe
"C:\Users\Admin\Downloads\Script\Launcher.exe" C:\Users\Admin\Downloads\Script\VrtPetSim99Load.dll
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:960
- C:\Users\Admin\AppData\Roaming\VRTPetSim99.exe
  "C:\Users\Admin\AppData\Roaming\VRTPetSim99.exe"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Users\Admin\AppData\Roaming\VRT.exe
  "C:\Users\Admin\AppData\Roaming\VRT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VRT.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:5644
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:5676
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4664
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5912
- C:\Users\Admin\AppData\Roaming\Launcher.exe
  "C:\Users\Admin\AppData\Roaming\Launcher.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1348
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /C ping -n 8 127.0.0.1 > nul && rename "C:\Users\Admin\AppData\Roaming\Launcher.exe" "Launch_Vaum0gYKxscp4PXiWwrGk1GJ.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5852
  - - C:\Windows\system32\PING.EXE
      ping -n 8 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4792

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping2980_1006202165\manifest.json

Filesize
114B

MD5
e6cd92ad3b3ab9cb3d325f3c4b7559aa

SHA1
0704d57b52cf55674524a5278ed4f7ba1e19ca0c

SHA256
63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d

SHA512
172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2980_116150602\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2980_116150602\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2980_16768107\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Launcher.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VRT.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VRTPetSim99.exe.log

Filesize
871B

MD5
386677f585908a33791517dfc2317f88

SHA1
2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

SHA256
7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

SHA512
876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2024.12.2\crl-set

Filesize
21KB

MD5
846feb52bd6829102a780ec0da74ab04

SHA1
dd98409b49f0cd1f9d0028962d7276860579fb54

SHA256
124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4

SHA512
c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cf3da7267cb6a35a74a4dceb3097a615

SHA1
a1b06c52d03147a6adbad9d32436b3b497115584

SHA256
18a6d652dd17544c9feb2e01621ed64b958b1a26bcee81e29ab29d5a409dc222

SHA512
6238eb406a42dfdf3faf7b62c92c6c0993974617f2ff403f6cd0a23dd2d53893bd96e92e78bbe6ba35ff191cdbcb8ecd69318c76547df76341ce9f2d43aae71f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4521caea0dd5fe12c6cc6cc59778bb46

SHA1
b3b9c090ff3ddb98eec6933878226d61c4cdd58c

SHA256
47d8e6145560b2a1f46f565fe4d04e196bd8a122dbffc15b653b0ef401a3f58d

SHA512
87519c005782ebc91e6d874b8d05a71744bfc7dd6122667493248626e144630f76b5b291c9da27f8dfa7287fbd416707aa844ec81d83fc24b059bda538473eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
23def508655230e95f3b05743e70dab7

SHA1
2324adbd5d905e605713cabd22aebd7ba776de3b

SHA256
6cd9a1ddffc93209c3f0b67461c6a94468f2301a624741812a309b7dc8a61c29

SHA512
d84d70e3657cb555508bd36de4b89a4173154dcbc84d230a6e5110e48e57ab7256ba5119c6b305ae97ce00ce4137930e83aca6d8996f57e766950d8f96ebbf8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57de5a.TMP

Filesize
3KB

MD5
846e0cdfc21e112ebac7a8453f552857

SHA1
876e5e0c60d0a69d8a4b05ed7bccffa62b929d57

SHA256
861ffd8e3ba98cd6d5faf37560e0a78e15d6b2ccc488424b32c6f075c8bc8d9f

SHA512
8e36389d63d562e81ad7695d3b21341f6fb004910ad4a194d9675823341bb72e0a0e497e849b98383fd32ff128d9524ddc5dc899606f1e54de26d77273cd61f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
232B

MD5
22b53853dc8d8a5bd64439769f3e32af

SHA1
01de496d8c88025a6918e07c9d97be20735b6294

SHA256
f216ed5e7b4800a1fa58478f4ca0ab6317a81fc76abbf13a88f3fa748656e478

SHA512
31eb91a42dfd76f9c3e44be904cdca185ead21bec9d7f1e21e1a2ef2b7f5d084b866bc0692ebc300e65101a3f98f0c8d279a19483170da372752c8bc74d53772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b4173fcb323b3aa606243a43bf555d07

SHA1
f3051ef2f2b92757e7497b0c29374517ee65dbb8

SHA256
e0a17b160d93ede9932ee2cb3a173fb0b065a22be40a9014a2c0b246f7e8490c

SHA512
7c292222e7d539e789c32a5ae2aab6bcab31fadd9b08e03565845722a163c49f181caeda215cd705f828d8ed14472dc3da9341c4fa43d5bfed5e99be1bcb89ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
d2a9cae60b86cb6df047094f86843300

SHA1
a364c9540271b0356224ad3e1168370dbf26589b

SHA256
9ebbbeebd01a612be8b24342da9de8369a12fd580cc27dd4581bd8eeb021bf82

SHA512
f92b029339625032f58110058da2d3a6e8e099d46b0fa4fc6279f6ce6ecdeb04042bd04230080d845bcbf72d6c6edf77bb4cc7a537400179170bdd4a9142d55f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
25a11244fd927f05033ff4ee1523736d

SHA1
f29f2a9cd826097fa5849e5f24045f953bd25254

SHA256
eef798c991265317c152abf4969d4282b7fc6892462c2e872277baac254be3f5

SHA512
0b37ec3bbfede45f63823baeba2c6cb7cb849686f6a2c604fb97c25ee26c714e446efe864f2d890a757450d966f5e20de67101addb77d0a99ce0d32f2757d2aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
877743584ea828f3e172befcdbee7843

SHA1
cb343ac0835af225feca717dbdaf37055886f3dd

SHA256
0c85a6b9cede825240aaca83de81a2dad8f9920f7bc9de324d2f6ebd020b77b7

SHA512
d97041681e71997c546c7061fa83c4ba91ec6a302a03fcbf5790d95abad9854a82bd117d536ac71de6776043f83042437a25cb4520b972dd14627cdc2a0cd82c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
87bbac90bd4916eaf056be82f38dac32

SHA1
001925106d316782abd4caefcd6292c20a6ad8b9

SHA256
39071265cb4bbb3f0b63ed8389bde8738e10fbc03a06c0c2a1209bff00762ee8

SHA512
4d5f34d636377c0ae70a54eebc9b77e57e0f9145b446f3b08087eb3b8735b4e0e51343826a0368ef42ab930fa3b2c2aa89905405caefad6e89865107a1a132cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e772.TMP

Filesize
48B

MD5
a299560b5b8b919451c756d7d77c5afc

SHA1
1afecdbceda3cc7f01336dfb8aa0144588880a55

SHA256
a9bfe60cf8e2a17aecc4c995563d2130294f806eb39c49c03de7024bf7f64490

SHA512
dafe8cbfb55052ace444aa610b97bd6c135270e4156cbc8f6e72c1330d053addc89ae6777a1e498c2ed0e9098b5ece6125d4cdba8b74d029aa1dda0c39eb55d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
03db11af5ee873adb986dc8c2729d724

SHA1
2a6a5e22073b36ce31b75d1a79dd74980e7cf70b

SHA256
0b4ef11a2c586af4c0c4e75eb19c5868faddb2cbfffad53890118aabb20918c7

SHA512
9062af24ba0c21bf38a40d35fe1cb0a9788a34e5c01b21c1c90309bdad496bbc410db1aea37d9782073f8f74c95bb656375e592a5196b50cc8daf6a374f63899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
0102a43a51ec678e0aaadfe57984dea3

SHA1
2fa75d3f6a6e676d9bd95bc0412967796026b5a1

SHA256
e711ce55d6a88f311cd5141b08df5e8c02aaa8ea24dedf395ecb490961dce259

SHA512
9373cfded1da86af038f3eb3c5d478f9069b7b7e4f72317ee51fe000d6060eaa2c737c6c54d283ebf0ebc86bdff8391b6b77dc8920401a0e5632489af76435bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
20KB

MD5
276278bbb7646aff1a8f3bc1b0896e3b

SHA1
b60d8ad5c173641210b15294b9e8f4463c46323f

SHA256
1ba99ba9b0e5ba18d47bc4d3fc4e153ac8f42bc98a31627aeb39a0f18f0bad44

SHA512
5ff2cd5ccefccb5e8d6af064d63dc700d8de4be29ee2d708c828ffce79eec30969d80837da55d111f7a36297067292f2b54e4e62ff74e3e02f403adfe938403d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
77b8236e590fbd34cceea8f5799e982e

SHA1
e4a31c9b6cc1341d162f747fe2b9935e18ac6b6b

SHA256
e89d63bf34c1b5b8c87d87c79be4d8fffbba7c049fced31a80f8752eafd0e338

SHA512
0a4b4e4fd9d7cefcdafc859d442452598f1271a5ea59c6132a84c27e97db5e27dd33744face15a962a65bfa22a23ee96bffb1647615167cd61cea82b1108227a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
e63fc48908c018385d58fbaf2dcf571f

SHA1
76dd4ca97dd5f0aa24e00b1fde72d56dcd240792

SHA256
f5f68dbde36ebada4aea18c90a939550b44bc7dd8285a7b4bc9f375d5858d90c

SHA512
b7a526136d3914d407b88ec7efb352139288753fc3414d6f568da48e13e6fde884a712db758acd0d84fbe5870f4e6a315787866a62cd533b95139f5eb8ec4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b933d1c84da045e2fb631d7713331156

SHA1
00112d770d0246516a54256135ed7ecb27e66c32

SHA256
f43226c30edb0ef7f126d62039148dcc41754d5979d046f523628ba543c69431

SHA512
f5f660dbb678fef679111f94954b916a9eff094f27544b3b6365010a3896f7f4eb1d8a83369b712ec5492638dca63ca2fe17ff2c043729aa2dcc78558afaa018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
ab07b37d84ebe5760b08e063d9b671cb

SHA1
fdb2b02f64af9245ad5ee63042fbde5772bbeb36

SHA256
e9e40f5417b88c4b97843c844768a7c8f7f1fe02a8044779296b3570c293c8bc

SHA512
3952c94323e848b56998d0419f36217a6832db5025ab2782498fc316f3fddc59d9352a121fdf6577a9f9101aeab14b1c3d85860ef4acb2c6e239507ec31424f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
dbd8df3bf5af7e9c9939a8bb5551107e

SHA1
f38171273804c241025c616168b82b7d9b1cce67

SHA256
b05c732e55f905f8e6d19ec198a1de93bd7c3d7df695fae818c0ca801db0597a

SHA512
aeeaf18a53348237f1d2876df5c67083e1653f258e0bbdd6959f84de6925ddc205adf1b394393ef77ac310bf74e0f8aadc1185914569d36510af8e862e0d1b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
45KB

MD5
fba472ce52eaa0635fb8b4cbcdd86afa

SHA1
dc376e99ab1ef73d517d8ec268b9328d48760873

SHA256
29ef07646f39065297b1db32a11cc8d8be8f7b0e07149018f2a0fc139fa2c5e2

SHA512
d798ba202b4ffd2b6ea87120766e73e0ed3f291bdbeaa9e4d263304a54bb4e74ed617e387af55b0900949191a68fcce32b0592d5e3490ba9e952e7c2ad634d54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
45KB

MD5
ef616e061bb05a5591d3edcceffe2432

SHA1
7d3f4a98642303f4119ab19ec478ab4e63828b7c

SHA256
ca7f24d8be0979ba3fe1f2b59ee655a2f49e1bea362ebd82d7283a0264ad2c68

SHA512
fb3b298d2c4fe3c6e19ec234315a4d85e551af28d1aef5646ba72e1bea06583ce69410bc27a4412a79649cf7583af33a8a98b452660697866f2a9f2633bd9041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a6b3b83c7dc593bb969711d5c89f55f7

SHA1
e7c161ae857d908f10dad55ab25c2fcfe32222e3

SHA256
1e97d4826147812888f3e7f9e5fdf23431db1a0ead8c78c17f245b0365cffee1

SHA512
bcfaaeaed7df09e1c9193a9a992d27d22275c2cd729032644d39255338127aec22fb455f08bfd80f330a1813cff311a9be51477680948fe9bd6b6252fd222cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
45KB

MD5
f82158f84a224f67d4eb68cf691ba913

SHA1
4174cacb4c320137b710ad86c4132df32227d4af

SHA256
674dfc52e2d2b2ed1c352ff33c5c829ddbaea6c85412c7fef3b153053757a104

SHA512
0b5318de2c425804c492fb971b23fba1839695dcd290f929d7041302b08a9a09ec3a6dba56faa6a32536bc8ffc6153157fcd8736fb6d98224deb67dcad713ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
ecca5ed319e8af6a0aabebf3e9dc4820

SHA1
f3d735d6891df30bd6f6150873048f7a96e33c66

SHA256
0e7fdd067334e774370be3deebba9f3ca6c30caeda9923a32f7a0ca0ee6f190b

SHA512
c1755a111891133fc5d741ed01cfc97dd3bf6af7866d24cf1fcbd29aa518b6ad22efbe4e97248254edad006a402a8f76426a7ae589c283538894d04514f7e29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1a5cd54a073fcc6f996c5bf8eae9ab4

SHA1
f51b3b1fe5ec1ace8641c99d2769a0f9f93f640f

SHA256
d0cc04ed0b546b1d7f405da38b5c1addd1fbc26591027e76b9745a9c1daf584e

SHA512
6804bc8a338f7727396b107ee58e418dae2c086aa85c8edb4d4a90f7398963dc63bab06574ed8b3c593e76d7740ecacec63d1643c6f26058a5d947caafb7673c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
107102102e02e48f37f5318c7e113c43

SHA1
7fb10fc65c85fb4c050309f0872bc9389dcccc0d

SHA256
3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7

SHA512
b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a67eee085e8f68aaffbfdb51503d6561

SHA1
29db9b41945c6a5d27d5836a1c780668eded65a0

SHA256
6e155bcc98f4e175a8701f030b73b14d9002b175ef58a19cb9010af3964e36b4

SHA512
7923bc74260e77d62b20cf510b79e0422563469ec3543084a989db154b1e39370f1a6e6c6e73caa7471d0974a693b1beb4fd2ddfb14b0b5c58650b5df3c32d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7511c81925750deb7ad1b9b80eea8a8d

SHA1
6ea759b3cbd243ae11435c6d6c5ced185eb01f49

SHA256
5b49723a7773f2fe1f6093236e7b9b2c546f0873635d02346cb39535811234fa

SHA512
5f7e69316d39525d137a7a833f8c746ceef8f1b2295348393fb3244cca8b962fbaad0f7da49da453fe97e2c49b1f41f06138111ac5ff97fdc33c300350ec3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UvJggfiga23qzq9

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_opecmiic.aoe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dS5x1MeOIcLYkMk

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3blFFwrR5HqRZF

Filesize
20KB

MD5
febe8b30c72b9ed5786ae265ebaf844a

SHA1
010452344e00fcf8609b9df083803311efe683e9

SHA256
72d049174f8bb874a5db67735ce76cab400f25a72391ec557ef2720785b4c4ac

SHA512
01863fd726d2bb344f368673a31df809a58c810940200a8cf02d1be09ce92f1d097419fffabbada9651d2977948111e0916e2012d92974f96ce7c942ef01732e

Download Submit
C:\Users\Admin\AppData\Roaming\Launcher.exe

Filesize
3.2MB

MD5
a59e26205512f2c3eaa983b12d987702

SHA1
364b7080dc41cb7a096f8d01e417c70c14d77c05

SHA256
a179b318d467e37b1e2892586a57b4668d649373cbf6c11af917ba654a6fde1e

SHA512
558cd6d631bc57ef27930b8f5e0147d787d971f31502840ae1420a8a5af8f6eeb7ff68f1b1890e0a8ff518a230296817242b9f1da3b181deab45d868ec0f6ee8

Download Submit
C:\Users\Admin\AppData\Roaming\VRT.exe

Filesize
230KB

MD5
ed3ad2a61d211fcb86b3f0f1450dc607

SHA1
76ca0b829ecba5af85385da1319f572e85d6a58c

SHA256
9c0117ebd29e7aa8108448fa7bcd0c1b90c5ec104fd1686a11cf3380cd08a1af

SHA512
19694f338bcdc098e03946d5c236ecc172c76b3622a2e870a5ac7630a6dc5706cfa32fe1047386776bfcbaaa2e13f8baab0b5b3c1b229a82f38b9cd469172fc7

Download Submit
C:\Users\Admin\AppData\Roaming\VRTPetSim99.exe

Filesize
390KB

MD5
37900b97d5571cc3a53ddf16a860e4ad

SHA1
663403d353fb451dba861eae3d8d9346bca96f30

SHA256
8e174905bdfe8fd34326c4ef032e9143a592a5870d0f6c73470be2302b917fa1

SHA512
cc74cdb88e6e7ab4fe669069ec150d6b06392aca47f43c0d4b9a8d8c6e0625204610ee6e5541132941c374abf8708666fb025c03ecd267fb8be4e273089cf256

Download Submit
C:\Users\Admin\Downloads\Script.zip

Filesize
9.8MB

MD5
ecdf5d51d64b8e3125f8d079d9539f77

SHA1
f9ffd27191066001dfca382e0b1bffcc6b0204a4

SHA256
3f6ed7f922a2761ea3959e682fa45b2d4ceed7e109d2bee8653355bab5e98c49

SHA512
b52d63c87e796e7ef36019d87a36c815a3a7048892e2089142678e10d5419a9daa692b66aff0dc13e6df238e88075926baaaac2b48f71e4249252428bb023b14

Download Submit
C:\Users\Admin\Downloads\Script\Launcher.exe

Filesize
3.8MB

MD5
471958b21ea69b0a34aebbbe39c85b51

SHA1
42682eab6ae2d7bc97fa52025af7e0cb62fda239

SHA256
fd3cbdb039747a79d401a7380f4974a24301abf0287cb5ae32f3453f4bf82914

SHA512
1bbb1ad90550daa74d86947e9d2cd3a63848d5ccb66f169e2ed7331b08ae0a9c35e669453d1ec968f5f93f6e3a3e316809eb7ffb6ecfe4fcc2119572b546ce46

Download Submit
C:\Users\Admin\Downloads\Script\README.txt

Filesize
219B

MD5
f71496bba0a1a854ed2f8572153f4c2d

SHA1
6d2dcda0285875f0155ba5f4f64fb261a7870d39

SHA256
68043f7aa64526d851d847ac5a91e3cbdbedf667f6f61bdaa9f72c7d2227c9c8

SHA512
25d050804615b9e03920661dea1433fa9879f5d499169d24710399aea85a125bd403598e65206a7e0c63da5b2c43a36e8958f2548c4d07defde8ba8bdcd3b390

Download Submit
memory/1348-855-0x00007FF7ABF10000-0x00007FF7AC6AE000-memory.dmp

Filesize
7.6MB

Download
memory/1348-853-0x00007FF7ABF10000-0x00007FF7AC6AE000-memory.dmp

Filesize
7.6MB

Download
memory/1348-854-0x00007FF7ABF10000-0x00007FF7AC6AE000-memory.dmp

Filesize
7.6MB

Download
memory/1348-856-0x00007FF7ABF10000-0x00007FF7AC6AE000-memory.dmp

Filesize
7.6MB

Download
memory/1348-867-0x00007FF7ABF10000-0x00007FF7AC6AE000-memory.dmp

Filesize
7.6MB

Download
memory/1772-412-0x00000000006E0000-0x0000000000AC0000-memory.dmp

Filesize
3.9MB

Download
memory/1772-413-0x000000001B760000-0x000000001BB28000-memory.dmp

Filesize
3.8MB

Download
memory/2492-461-0x00000212C15E0000-0x00000212C1602000-memory.dmp

Filesize
136KB

Download
memory/2652-437-0x00000251EE420000-0x00000251EE460000-memory.dmp

Filesize
256KB

Download
memory/2652-477-0x00000251F0B30000-0x00000251F0BA6000-memory.dmp

Filesize
472KB

Download
memory/2652-514-0x00000251F02C0000-0x00000251F02CA000-memory.dmp

Filesize
40KB

Download
memory/2652-515-0x00000251F0BF0000-0x00000251F0C02000-memory.dmp

Filesize
72KB

Download
memory/2652-481-0x00000251F0C10000-0x00000251F0C2E000-memory.dmp

Filesize
120KB

Download
memory/2652-478-0x00000251F02D0000-0x00000251F0320000-memory.dmp

Filesize
320KB

Download
memory/2856-434-0x0000000000D90000-0x0000000000DF8000-memory.dmp

Filesize
416KB

Download
memory/3652-449-0x00007FF76E5F0000-0x00007FF76ED8E000-memory.dmp

Filesize
7.6MB

Download
memory/3652-451-0x00007FF76E5F0000-0x00007FF76ED8E000-memory.dmp

Filesize
7.6MB

Download
memory/3652-544-0x00007FF76E5F0000-0x00007FF76ED8E000-memory.dmp

Filesize
7.6MB

Download
memory/3652-450-0x00007FF76E5F0000-0x00007FF76ED8E000-memory.dmp

Filesize
7.6MB

Download
memory/3652-447-0x00007FF76E5F0000-0x00007FF76ED8E000-memory.dmp

Filesize
7.6MB

Download
memory/4092-582-0x00007FF728ED0000-0x00007FF72966E000-memory.dmp

Filesize
7.6MB

Download
memory/4092-581-0x00007FF728ED0000-0x00007FF72966E000-memory.dmp

Filesize
7.6MB

Download
memory/4092-580-0x00007FF728ED0000-0x00007FF72966E000-memory.dmp

Filesize
7.6MB

Download
memory/4092-578-0x00007FF728ED0000-0x00007FF72966E000-memory.dmp

Filesize
7.6MB

Download
memory/4092-686-0x00007FF728ED0000-0x00007FF72966E000-memory.dmp

Filesize
7.6MB

Download
memory/4092-780-0x00007FF728ED0000-0x00007FF72966E000-memory.dmp

Filesize
7.6MB

Download
memory/4092-685-0x00007FF728ED0000-0x00007FF72966E000-memory.dmp

Filesize
7.6MB

Download